On Monday we saw that Trojan.Silentbanker had added rootkit functionality in order to hide its own files. Today we'll look at another change that the new version of the Trojan has introduced, namely, the new configuration file format that the Trojan uses.
Trojan.Silentbanker's configuration files have always been protected, ever since the first version of the Trojan that we encountered. The reason for this protection is to make it difficult to understand what the Trojan is doing, and in particular, to hide which sites the Trojan is targeting. The original version targeted over 400 banking pages. Although, the actual list of pages being targeted was only clearly visible after the protection had been removed from the configuration files.
In order to discover the list of sites being targeted by any version of the Trojan the protection needs to be removed from the configuration files first. The old version of the Trojan used some simple tricks to hide its configuration; however, upon inspecting the new version of the Trojan, it is immediately obvious that something has changed. The protected configuration files look very different from previous versions.
Here I will describe the new configuration files and the steps necessary to view these files in plain text. The old protection technique was to first use character translation (a=x, b=s, c=f, etc.) on the plain text configuration files and then to compress the resulting character translated text to a smaller binary format that could be downloaded quickly.
Here are some examples of what the old configuration files looked like-I'm showing the fully decrypted configuration file format first and working backwards towards the encrypted file that was downloaded by the Trojan. This is the plain text configuration file; it contains URLs to send the stolen data to, URLs to download updates from, and the URLs of targeted bank sites (the data shown has been sanitized to remove dangerous or targeted URLs):
Each new section of the configuration file starts with [..]. So, the first section is [dfgdf]. Inside each section there is a list of data for the Trojan to use. Each string of data to be used is stored after an identifier (e.g. bg1=, bg2= , bg3=, etc.).
Presented below is the text configuration file after character translation has been carried out. The character translation is only used on strings that are preceded by an "=" sign. An example of the translation is:
"b" was changed to "o"
"l" was changed to "y"
"a" was changed to "n"
"h" was changed to "u"
So that "blah" becomes "oynu"
(b=o,l=y,a=n,h=u,.=8,c=p,o=b,m=z,/=#,e=r,u=h,r=e,/=#,i=v,n=a,d=q,e=r,x=k,.=8,p=c,h=u,p=c)
The file shown above is not exactly what the Trojan downloads though, what the Trojan downloads is a compressed binary configuration file, shown here:
We can see that the compressed binary format starts with FF and on the right we can still make out some of the character translated text, too. The fact that the file starts with FF is one tell tale sign that this is a Trojan.Silentbanker configuration file, and the Trojan also stores its configuration files in files named [9-11 digits].cpx. The current Trojan.Silentbanker configuration files look different though:
As we can see, there is no 0xFFh at the start. So, the Trojan must be using some other type of encryption on these new configuration files. After some analysis of the Trojan we come to the following routine:
This is the decryption routine for the configuration files. Now we can start to make some sense of the configuration file shown above. Searching online for the constants used in the code above, namely C6EF3720 and 61C88647, shows us that the code used is probably a TEA encryption routine (tiny encryption algorithm) or a modified version of it.
After we run the decryption routine shown above, we end up with a file that looks like this:
Does this look familiar? This is, in fact, the same format as the Trojan was using previously. Notice that it starts with FF. (The "x"s on the right were an IP address that has been removed.) The latest version of the Trojan has just added a layer of encryption on top of the old protection layers. Once the TEA encryption layer has been bypassed, we can decode the configuration files in exactly the same way as for the older version of the Trojan.
(Symantec)