Weekly Report on Viruses and Intruders – Nabload.CC, Banker.CJA Trojans

This week’s report from Panda Software on viruses and intruders clearly reflects the recent new malware trends. Two of the examples of malicious code referred to in today’s report are solely aimed at fraud and data theft, and the other two have rootkit functions.

As an example of the business model implemented and put into practice by hackers, we are today looking at Nabload.CC. This Trojan, which downloads another Trojan detected as Banker.CJA from a certain web page, is able to slip past the Windows XP firewall. It can therefore access the Internet without restrictions on its actions.

The Banker.CJA Trojan obtains information for accessing several online banks. It does this by checking if users visit the websites of online banks, and if they enter their credentials, it prevents them from accessing the legitimate web page. Instead, it shows a web page which is an imitation of the genuine one.

If users enter their details again in the false web page in the belief that there has simply been an error, Banker.CJA will log their username and password. It then sends the information collected to certain URLs, allowing hackers to access the online bank accounts.

Another malicious code that aims to return financial gains for its creator is Briz.C, a password-stealing Trojan. This Trojan has several components that are downloaded successively from the Internet. These components carry out a series of actions, such as stopping and disabling the Windows XP firewall, preventing access to certain websites related to antivirus companies, getting passwords for mail accounts, banks and other online services, etc.

Briz.C cannot spread automatically using its own means and therefore, needs an attacker to distribute it, as occurs with other Trojans. This characteristic is common to targeted attacks, a technique examined and explained by Panda Software in a white paper which can be downloaded from: www.pandasoftware.com/attacks.

With respect to rootkits, PandaLabs reports on Gurong.A, a worm that tries to download files from several IP addresses. These files are copies of the worm, although they do not have all of its functions.

Gurong.A has some typical rootkit functions, allowing it to hide processes, files and Windows Registry entries. This situation is potentially dangerous for infected users, as hackers could use it to hide processes. The TruPrevent(tm) Technologies in Panda Software solutions were able to detect this code, preventing it from being used as a rootkit, with no need for specialist anti-rootkit tools.

The last code in today’s report is another version of the veteran Bagle, in this case the HX variant. This worm tries to disable numerous services related with antivirus and security applications. Once installed, it connects to several web pages to download a file.

One of the files generated on the infected system, m_hook.sys is installed as a service and is a rootkit that hides files and registry entries created by Bagle.HX.