Read the original article: Feodo – A new botnet on the rise
We are seeing a trend where new banking trojans are emerging on the
threat landscape very rapidly. First came Bugat followed by Carberp.
Unfortunately, it is time to meet ‘Feodo’. Since august of this year
when FireEye’s MPS devices
detected this malware in the field, we have been monitoring this
banking trojan very closely. In many ways, this malware looks similar
to other famous banking trojans like Zbot and SpyEye. Although my
analysis says that this malware is not a toolkit and is in the hands
of a single criminal group.
At the time of writing this article, AV coverage for this malware
looks very disappointing. Out of 42 antivirus software listed on
VirusTotal only two were able to detect it as malicious. Screenshot
from VT:
Complete report can be found here: MD5: 557597074df3d3ce0e1674285ef19732
Here are some high level features offered by this malware:
1. Bot herders can supply a list of URLs (mostly of banking sites)
so that the malware can start intercepting these web pages. What this
means is that whenever a user tries to visit these web sites, the
malware will start submitting the web form data back to its CnC.
These web forms and the data inside them will be intercepted well
before its gets encapsulated into HTTPS. All the information
including login credentials will be in hands of bot herders in plain text.
2. It’s fully capable of Man in the Browser (MITB)
attacks. This means that it can intercept original web contents coming
from legitimate servers in order to append its own crafted HTML. This
is normally done to ask the user for more information than was
originally requested by the actual server, like your PIN numbers,
Social Security number etc.
3. It can also steal HTML pages from your browsing sessions. Sound
strange? Well for any successful MITB attack, the attacker needs to
know about the HTML being served by the legitimate server. Just
imagine an attacker wants to modify HTML pages for the Wells Fargo
"Add New Payee" web page. Unless the attacker himself has
an account with Wells Fargo, he may not know the contents of this
page. By stealing this private page while a legitimate user is
browsing to it, the attacker is in a perfect position to prepare his
future MITB attack.
How does this all happen? Let’s take a closer look.
At the time of writing this post, I can see that the bot herders are
instructing its zombies to target over a dozen banks. This is a huge
list , I rarely see even bot herders behind Zbot targeting so many banks.
Configuration file:
Above is the configuration file for the malware containing all the
web urls the bot herders want to intercept for information stealing.
In this list, one can see many famous banks like Wells Fargo, Bank Of
America, Citibank etc. Many other famous web sites like Amazon.com,
Myspace, and Google mail are in the target list as well.
Stealing web forms:
Note: The above credentials are fake and were supplied by me to
generate this particular scenario.
Stealing HTML pages:
I must say that with respect to the feature set, this malware is
almost equivalent to other known banking trojans. Although this
malware may have few advantages over other famous banking trojans like
Zbot and SpyEye. First of all it’s private code so unlike other tool
kits it wont cost the bot herders thousands of dollars. Unlike Zbot
which has become a victim of its own success, this malware can fly
under the radar for a long time. If the attackers want a new feature,
they don’t need to wait for a new toolkit version, a change can be
made right away.
Atif Mushtaq @ FireEye Malware Intelligence Lab
Detailed Question/Comments : research SHIFT-2 fireeye DOT COM
Read the original article: Feodo – A new botnet on the rise