Since, both to reduce and possibilities being leaked financial information and to avoid these emerging various threats on using financial internet service, we need more attention against those critical threats.
We, mainly servicing security components in financial area, are monitoring the first influx date of malicious file and getting various variants samples.
Furthermore, based on our own “Malicious file integrated management automation system”, various variants had been being spread; some of those were already infected on September, 2010. And we are inspecting those samples.
* Anti-virus for Trojan-Spy/W32.KRBanker (For Korean Financial Supervisory Service)
* Related code in malicious file about online banking
We found that this malicious file tries to steal or tamper user’s certificates, password, account password, security card number, OTP(one time password.
Collected information may be used to malicious behaviors, such as withdrawing balance without noticing real owner.
In addition, it contains certain functions to kill some of famous Korean anti-virus SWs and looks like well customized in Korean environment.
2. Malicious code activating scenario
INCA Internet security response team tested whole information leakage process as a real environment.
* Active process of this malicious file
If this malicious file activated, it senses activating Internet Explorer window concerning Korean online banking sites after certain conditions.
Besides it was also designed to perform malicious behaviors per each bank, which means that malicious developer coded as many type as the number of each banking systems.
If this malicious file performs, this will create folder on sub path of Windows system folder as a hidden preference. And it monitors usage history.
Folder name "np" seems to be abridged form of NPKI(National Public Key Infrastructure), it creates another folder and tries to steal certificates located in local disk or removable disk.
.NLS file is captured screen on user by time to time. It sometimes can be saved as .DAT file.
This malicious file seems to perform another additional malicious behavior with those captured files.
This following figure is one of .NLS files containing screen and mouse position.
<User can choose certificates and must insert password to be proven himself at Kookmin Bank>
<At KEB bank>
.XCD file is a type of TXT file and which contains the name of drives information in local PC. It can help to copy NPKI saved folder.
NPKI file was copied and saved in f2nk14677.1171875 folder.
Sometimes it created various name depending on user environment.
Infected user’s certificates will be captured and moved at C:\Windows\Help\iishelp\common\ dllimage.bmp on signing in online banking service.
Saved dllImage.bmp will be used as a background image on signing in with certificates.
At the next time, it will activate Script page or fake error, and try to deceive user by re-inputting certificates and password.
Following image is as same as Shinhan Bank’s error page.
You can find artificial blue box to snatch password in at the input form.
<Additional form is overwrited in current form>
And it also shows a form to get password, OTP, and security card number in a certain case.
Inputted information is saved C:\Windows\inf\d3dx9_94_x.inf with the time and date.
Since we identified our nProtect Netizen has been blocked, we updated its variant on May 25, 2011.
This following image describes the test result of nProtect Netizen against that malicious file.
Our Netizen can scan and treat malicious file flawlessly.
3. How to prevent
Those financial security threats must be prohibited. One of our recommend methods is to change signing in form regularly.
To use online banking safely from security threats of these malicious behaviors, we recommend following tips "Online banking security management tips" for general users.
INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function and runs responding system against various security threats.