A bit of research goes a long way as we’re going to prove in this blog post. Sometimes, as we'll see with TrojanDownloader:Win32/Camec.A, a little investigation reveals that a seemingly ordinary malware is in fact an exotic bird.
The other day, we were analyzing what we thought was a run-of-the-mill trojan written in Visual Basic. Usually these are a dime a dozen since every script kiddie and Internet crook wannabe can get around copy and pasting pieces of code from the web to create a malicious executable.
Going forward with the analysis, we discovered that TrojanDownloader:Win32/Camec.A (with SHA-1 68623c11531a08d687d9b6880c436df9ad57bc40), as we’ve named it, was designed to:
- Disable UAC (User Account Controls) if the operating system is Windows Vista or Windows 7
- Gather and report back the following data to the attacker:
- Computer name
- Logged-in user name
- Hard disk serial number
- Operating system version
- Download and install two BHO components in the Windows system folder:
The last two actions were done not by the usual HTTP/FTP traffic, but rather by connecting to an SQL server database, set up in place by the malware author. Its connection string is the following:
"Provider=SQLOLEDB;Data Source=212.124.***.***,1433;Initial Catalog=p***l;Password=***;User ID=***;"
We were able to successfully connect to the database to download the two BHO components. In the meantime, we also discovered that TrojanDownloader:Win32/Camec.A had managed to collect and upload computer information for about 47,000 infected machines.
Interestingly enough, the first row of data from the computer information table has the following contents:
PC Name: MONEY
Username: Money (same as the one from the downloader's project path)
Serial HD: *****
OS version: MICROSOFT WINDOWS XP PROFESSIONAL
You draw your own conclusions...
Trojan:Win32/Camec.A is pretty ordinary, but the trojan spyware component (TrojanSpy:Win32/Camec.A) is a real surprise! The first indication of something big came right after connecting to the database, as there were tables that the trojan downloader did not touch. After dumping and decrypting its contents (again, everything was encrypted), we discovered over 24,000 Hotmail accounts, complete with user names and passwords.
Analyzing TrojanSpy:Win32/Camec.A, we further discovered that, aside from harvesting Hotmail credentials, its main payload was to record online banking credentials and send them to another SQL server. The banks targeted are Santander, Caixa, Bradesco and Banco Brasil, all of which have a presence in Brazil.
We connected to the second database server and from what we saw at that time, there were details on 53 Santander, 923 Caixa, and 139 Bradesco accounts.
We reported the two database servers for immediate takedown, and as of this writing, these servers are no longer available. We also advise our Brazilian customers, as well as all the others, to keep their antivirus products up to date. If you suspect you’re infected, look for “soundupkd.dll” and “shdoflash.dll” in the Windows system folder, which is usually C:WinntSystem32 in Windows 2000 and NT; and C:WindowsSystem32 for XP, Vista, and 7.
In case of infection we advise you to immediately change your Hotmail and online banking credentials after disabling the malware.
All the best from Dublin,
Marian Radu and Daniel Radu