Brazilian Banking Malware Packs 64-Bit Rootkit

A new piece of Brazilian banking malware capable of spoofing SSL-protected sites has been fitted with a rootkit component able to infect 64-bit Windows systems.

According to security researchers from antivirus vendor Kaspersky Lab, the malware was distributed through a drive-by download attack launched from a popular compromised Brazilian website.

The attack used a rogue Java applet that exploited vulnerabilities in older versions of Java Runtime Environment (JRE).

Successful exploitation dropped several files on the victim's computer including aaa.bat, add.reg, bcedit.exe, cert_override.txt, plusdriver.sys and plusdriver64.sys.

The bat file launches the infection process by first loading the contents of the add.reg into the registry.

This disables the User Access Control (UAC) feature in Windows and adds a fake CA to the list of Certification Authorities trusted by the computer.

The bat then uses bcdedit.exe to modify several Windows boot options including "DISABLE_INTEGRITY_CHECKS", "TESTSIGNING ON" and "type= kernel start= boot error= normal."

These options have the purpose of disabling certain checks so that plusdriver.sys or plusdriver64.sys, depending on the system, can be loaded on the next reboot.

These rootkit components modify the Windows HOSTS file to hardcode a rogue DNS entry for an online banking website that points to a server under the attackers' control.

This will cause visitors to be redirected to a phishing version of the signed with a SSL certificate signed by the rogue CA and trusted by the system.

The malware also disables a browser security plugin commonly distributed to customers by Brazilian banks. According to Kaspersky's Fabio Assolini, the CA installation trick is not new with Brazilian banking malware, but the use of 64-bit infecting rootkits is.

This suggests an increasing sophistication for local fraud operations. To avoid falling victims to such attacks users are strongly advised to keep their computer software up to date.