Bebloh/URLZone Trojan Removal Instructions

[Christian Mairoll 237]

 

Some time ago we wrote about Zeus/Zbot who have high spread levels and have the ability to steal personal user data such as bank accounts. And now, has been found malware which has more sophisticated capabilities.

a-squared Anti-Malware identify this malicious as Bebloh (Trojan.Win32.Bebloh). Bebloh also known as URLZone, Runner, Netty, Bredavi, Bredolab, Zalup, or Kissderfrom, as seen from VirusTotal scan results below.

This Trojan Kit not only steal personal important data, but also stealing money from the user’s account directly from the victim’s computer. As many reported, many European banks have been affected by this malware, especially from Germany. Just like a Zeus/Zbot, Bebloh also need a configuration file to instruct the Bot about how much money will be stolen, and to which account it will be sent. The configuration file is created using URLZone Builder, and has been placed in Command and Control (C&C) server to be downloaded by Bot.

Once active on the victim’s computer, the trojan will make a contact with the C&C server to download the latest version. From one of the sample that we had, the trojan would make a contact with the C&C server addressed at hxxp://kissfromde.cn (visiting this web site may harm your computer).

The downloaded file will be placed in System32 directory with random name:

The executable file of this trojan is packed/encrypted. The encryption algorithm is pretty simple, as you can see here when the trojan try to decrypting its body:

Open this mutex “P0R9W05BLK8″ to check its presence on victim machine:

Then, the Bot will hook on some API at wininet.dll module to monitor internet activity. When the user try to logon into his bank account, the trojan would steal important data such as username and password for login to the account. When users perform a transaction, the transaction data will be sent to the bank server that had previously manipulated by the thief, by changing the destination account and the amount of money that will be sent. In order to unsuspecting, the trojan also manipulate information about user account and transactions, making it look like the transaction was completed successfully.

With Anti-RootKit such as RootkitUnhooker, we can see hooked API:

This malware does not allow the user to run other browsers than Internet Explorer. If users run the following browsers, Bebloh will run Internet Explorer instead:

• Chrome
• Safari
• Opera
• Netscape Navigator

It can be done because the trojan creates the following registry entries:

• HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionschrome.exe
• HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionssafari.exe
• HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsopera.exe
• HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsnavigator.exe

As shown in the picture below, the trojan modified the registry to always run into Internet Explorer.

Then, how this trojan can be active when starting Windows? The trojan creates the following registry entries, register itself as Debugger, so when Windows run userinit.exe when starting Windows, it will run the trojan file.

• HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsuserinit.exe
• HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsuserinit.exeDebugger, %trojanfilename%

User also will not be able to see the process of malware using the Task Manager because he was trying to hide its process. The trojan enumerate process, to find the “csrss.exe” process, then inject its code.

How do I prevent the infection of this Trojan?

Always update your a-squared Anti-Malware with the latest definition. Intrusion Detection System (IDS) from a-squared Anti-Malware also can catch this malware when performing an unwanted action. As you can see the screenshot below, IDS give alert when we trying to login to banking.postbank.de on machine infected with this trojan, even for new variants that may not have signatures on the database.

How to remove the infection of Trojan.Win32.Bebloh?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

View the full article