Method of Infection
When run, Ursnif variants copy themselves to one of the following locations, for example:
- %System%\138762763.exe
- %Windows%\scvs.exe
- %Windows%\9129837.exe
Note: '%System%' and '%Windows%' are variable locations. The malware determines the location of these folders by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
Ursnif variants also create registry entries to ensure they are run at each Windows start, for example:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ttool = "%Windows%\9129837.exe"
Some variants use the following registry key to store configuration data:
HKCU\Software\Microsoft\InetData\
Later variants of the Ursnif family also drop a device driver to stealth their presence on the affected system, for example:
%Windows%\hide_evr2.sys
Back to top
Payload
Disables Services
Some Ursnif variants disable the following system services:
- Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) service (the "SharedAccess" service)
- Security Center service ("wscsvc" - which was introduced with Windows XP service pack 2) on Windows XP systems.
Steals Sensitive Information
The Ursnif family of trojans steal a variety of sensitive information from the affected machine using several methods:
- Ursnif steals information from protected storage and the certificate store on the affected machine. This information is then posted to a remote server (at IP address 81.95.147.107).
- Ursnif variants attempt to inject code into all running processes. The injected code hooks various low level API calls and redirects them to its own code. The data sent to the APIs is intercepted by the trojan which checks for and steals particular information, such as username and password details contained in URLs. It can also be configured to check for and steal custom information. This method is also used to inject the same code into newly created processes. Any information that is stolen is posted to a remote server.
- Ursnif variants may attempt to use the Windows Sockets interface to monitor network traffic on the affected machine, searching for user and password data from various network protocols such as POP3, FTP, IMAP and ICQ. This method did not appear to function in our laboratory tests.
Downloads and Executes Arbitrary Files
Ursnif sends information via HTTP to a remote server. The information is used to identify and authenticate the trojan. In return it receives commands which instruct it to perform the following operations:
- Download and execute an update of itself
- Download and execute an arbitrary file
- Download and execute an arbitrary file and set a registry entry to enable it to run at each Windows start
Uses Stealth
Some variants of Ursnif drop a device driver to the %Windows% directory, which they use to hide their activities on the affected machine. This includes hiding file, registry and process information related to the trojan.
Analysis by Raymond Roberts
Back to top