Threat behavior
TrojanSpy:Win32/Bancos is a family of password stealing trojans that target specific online banking Web sites commonly located in Brazil. Captured credentials may be sent to the attacker via e-mail, ftp or sent to a remote server through some other protocol depending on the variant.
Installation
This trojan may be installed by a trojan dropper or other malicious software and is frequently installed when visiting Web sites modified by an attacker, even a site the user may already trust. Frequently variants of this trojan will impersonate the Web sites of the targeted online banking systems in order to trick the user into entering their logon credentials or downloading other malware.
The Bancos family frequently modifies the registry within the following subkeys to execute the trojan at each Windows start:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
In the wild, this trojan has been observed to have the following file names:
- Windows32.exe
- Win.exe
- Arquivos.exe
- sxe[0-9].tmp
- sound.exe
- service.exe
- winupdbc.exe
Payload
Steals Sensitive Data
Win32/Bancos may monitor Web pages visited by the affected user and capture logon credentials for specific online financial sites such as the following:
- bradesco.com.br
- bb.com.br
- bancobrasil.com.br
- nossacaixa.com.br
- cbp.3dsolution.com.br
The information sent may contain the following types of sensitive information:
- Bank name
- IP Address
- Username and password used to login to the site
- MAC Address
Terminates Security Software
Win32/Bancos may terminate processes of several security products such as the following:
- nod32krn.exe
- nod32kui.exe
- nod32kui.exe
- Kav.exe
- McShield.exe
- avgamsvr.exe
- ccapp.exe
Lowers Windows Security
Win32/Bancos may lower Windows security by adding extensions of "high-risk" file types as "low-risk" by modifying registry data.
Modifies value: "LowRiskFileTypes"
With data: ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;
.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
Analysis by Josh Phillips
Prevention