14 DAY TRIAL // Security researchers from Trend Micro have identified a new banking trojan which makes use of a legit security tool in order to uninstall another. The application abused in this case is GMER, a free rootkit-hunting program.
This new trojan seems to be targeting Brazilian banks, as it tries to kill a browser security plug-in called "G-Buster Browser Defense.” The plug-in is used by financial institutions such as Unibanco, Banco do Brasil, Caixa Economica Federal and Banco ABN AMRO Real SA, to protect sensitive transaction data from being intercepted during online banking sessions.
The trojan, identified by Trend Micro as TROJ_DLOAD.BB, is downloaded from a rogue URL as a .gif file. The extension is deceptive and has the purpose of obscuring the malicious traffic. Its payload involves downloading a legit copy of the GMER Anti-Rootkit tool and creating a batch file based on it with the purpose of terminating processes associated with the "G-Buster Browser Defense” software.
In particular, the trojan makes use of GMER's potent "-killfile” switch to incapacitate the browser plug-in. Ironically, it then proceeds to download its own rootkit component, which gets saved as a .sys file and is installed as a driver. A few registry entries are also added to make this component load at system startup and masquerade as the service corresponding to the killed plug-in.
The rootkit component is detected as TROJ_DAMMI.AB and as long as it is running, the G-Buster Browser Defense plug-in is prevented from being reinstalled or run. "Without this application, the information relayed in these transactions may be exposed to malicious users and can be used for fraudulent activities later on,” Jessa De La Torre, threat response engineer at Trend, warns.
Even though the practice of abusing a legit security tool to perform a malicious action is not new, it is not commonly found in malware. However, some precedent does exist and Trend cites reports of another application called The Avenger being misused in a similar fashion. According to the description on its developer's website, "The Avenger is a fully-scriptable, kernel-level Windows driver designed to remove highly persistent files, registry keys/values, and other drivers protected by entrenched malware."