Earlier, we discussed Win32/Carberp, a malware family included in the November release of the Malicious Software Removal Tool. In this post, we discuss another included malware, Win32/Cridex. Win32/Cridex is a relatively new family; we discovered its first variant in the wild in August 2011. This trojan is primarily downloaded and installed by other malware, detected as TrojanDownloader:Win32/Skidlo.

Win32/Skidlo is commonly distributed as an attachment to spammed email, using various names such as "UPS_NOTIFICATION", "Changelog", "Invoice", and "XEROX_SCAN". The attachment shared the same old trick which is also used in many other spammed downloader trojans. The executable files are all in a .ZIP archive with a specially crafted file name format:

"%___Coll<0xE2><0x80><0xAE>cod.exe"

where "<0xE2><0x80><0xAE>" is three illegible and hexadecimal characters (UTF-8 encoded Unicode character ‘Right-To-Left Override’). This trick re-orders the sequence of chars from "123.456" to "654.321". When the zip file is opened by certain software, it may show as the following:


Figure 1 - Example file name of Win32/Skidlo, a trojan that downloads Win32/Cridex


The shown extension makes the malware appear as a valid Microsoft Word document instead of an executable. When run, Win32/Skidlo downloads Win32/Cridex to the local drive and executes it. A copy of Win32/Cridex is copied to the Application Data (%AppData%) folder and commonly with a misleading name and file icon, such as:


Figure 2 - Example file name of installed Win32/Cridex trojan


The trojan's payload is injected into the "explorer.exe" process to hide its presence from process tools such as Windows Task Manager. A user-mode native API ZwResumeThread is hooked in every running process to assist the trojan in copying the code injection into newly created processes. The registry is modified to run the trojan from the subkey "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". These steps are typical and to ensure the malware remains resident on the affected computer.

Win32/Cridex is a multi-purpose bot that is designed for nastiness, including downloading malware, uploading your files, stealing certificates and more. The most harmful of the payload code would be the stealing of online banking credentials. As with other infamous banking trojans (Zbot, EyeStye, Carberp), Win32/Cridex monitors Internet traffic between remote servers and your web browsers (Internet Explorer and FireFox) and captures the credentials entered in certain sites.

Configuration data that contains a list of targeted websites is stored in the affected computer's registry:



Figure 3 - Illustration of registry data storage listing targeted websites


Although most of the sites are related to online banking sites from around the world, some social networking sites are also targeted (for more details, see the Win32/Cridex family description). That means that hypothetically, your online friends could become exposed to the danger of spamming via your compromised account(s).

Regardless of the use of SSL or not, Win32/Cridex hooks APIs in your web browser process to monitor and capture the clear packets before they are sent to the remote sites:


Figure 4 - Hex editor view of data captured by Win32/Cridex


To maximize the potential of capturing online credentials after Win32/Cridex is installed, the C&C could instruct the malware to delete stored web browser cookies. A symptom of this behavior could be in a newfound request to enter your account login for sites where the option to "remember login" was set. The captured post data will eventually be uploaded to the C&C server, and at that time the security of your account is now compromised.

Microsoft security products protect you from this and other online banking malware.

SHA1 of prevalent examples of this malware:
142bef5475927cc5f0b3d7200b61c00b5917a03e
fa3af04fc014cb88c654f6cd085e3424349035ba
4e7ec0ded41eb00d37cfaf72914462aa1b92efa2

-- Shawn Wang, MMPC