Dangerous self-spreading successor of Zeus and Carberp discovered

omidomi

Level 71
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Apr 5, 2014
6,008
In June, Doctor Web security researchers examined a new dangerous virus targeting Russian bank clients. The virus is designed to steal money from bank accounts and monitor user activity. It has borrowed a lot of features from its predecessors Zeus (Trojan.PWS.Panda) and Carberp. Yet, unlike them, it can be spread without any user intervention infecting executable files. Besides, curing of the infected computer is rather complicated and may take several hours.

Due to the ability to be spread without any user intervention and infect executable files, the malicious application, or Trojan.Bolik.1 as we named it, is categorized as a polymorphic file virus.

The most dangerous features of this banking Trojan are the abilities of self-spreading and program infecting. The function of self-spreading is activated by cybercriminals. Then Trojan.Bolik.1 checks open-for-write folders for the presence of executable files in the Windows system or on connected USB devices and then infects them. Trojan.Bolik.1 can compromise either 32-bit or 64-bit applications.

Dr.Web Anti-virus detects programs infected by this virus as Win32.Bolik.1. Every such program contains Trojan.Bolik.1 in encrypted form and other necessary information. If the user runs the infected program, the virus decrypts Trojan.Bolik.1 and launches it right in the computer’s memory without saving it to the disk. At that, the virus has a special embedded mechanism that immediately changes its code and structure responsible for the decryption procedure, which helps the virus remain unnoticed as long as possible. Moreover, Win32.Bolik.1 tries to hinder the operation of anti-virus programs that can execute malicious applications in a special emulator by implementing specific techniques that consist of different loops and repeating instructions.

As Carberp’s successor, Trojan.Bolik.1 has borrowed the presence of a virtual file system that is stored in a special file, which the Trojan saves to one of system directories or to the user folder. This file system allows the malware to covertly store information necessary for its operation on the infected machine. From Zeus, Trojan.Bolik.1 inherited a mechanism of web injections, which cybercriminals use to steal logins and passwords to access online banking applications or to steal other private information. Trojan.Bolik.1 is mainly intended to attack bank clients of Russia. This fact is proved by certain lines in the configuration file received from the C&C server.

The main purpose of Trojan.Bolik.1 is to steal confidential information. The Trojan can execute this function by several means. For example, it controls data transmitted by Microsoft Internet Explorer, Chrome, Opera, and Mozilla Firefox to steal information entered into input forms. Besides, the malware program can take screenshots and perform the keylogger functions. Trojan.Bolik.1 is also able to create its own proxy server and web server for file sharing with virus makers. The Trojan can find necessary files by a mask specified in a command. Like other today’s banking Trojans, it can also establish so called reverse connections in order to provide communication between attackers and the infected computer that is located in the firewall-protected network or that does not have an external IP address, i.e. it operates in the NAT (Network Address Translation) network. All sent and received information is encrypted with a complicated algorithm and is then compressed.

Functions and architecture of Trojan.Bolik.1 are very sophisticated, which makes it really dangerous for Windows users. Dr.Web Anti-virus detects and removes all its components; yet, the curing procedure can take much time because the structure of Trojan.Bolik.1 has its own peculiar features. Therefore, we advise our users to be patient while Dr.Web is scanning your computer.
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Self replicating and program infecting definitely marks the severity of high risk. Banks and other crucial firms must coordinate properly from security companies for latest patches and protections.
 

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Very interesting Security news :)
I wonder why they only targeted Russian banks clients. A beginning before targeting other countries !? :rolleyes:
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top