November 7, 2013

Russian anti-virus company Doctor Web is warning users about a malignant program that targets SAP enterprise software. This malicious application is a member of the widespread family of banking Trojans dubbed Trojan.PWS.Ibank. These programs steal passwords entered by users as well as other confidential information.

Doctor Web's analysts have conducted a comprehensive examination of this threat. Compared with other malware of the family Trojan.PWS.Ibank, this species features the modified architecture of a bot; its IPC (inter-process communication) routines have been modified, and its SOCKS5 subroutines have been removed. At the same time, the Trojan's internal encryption routine remained unchanged. Also, similarly to other Trojan.PWS.Ibank programs, the malware's payload is packed into a separate dynamic link library, and it uses the same protocol to communicate with the intruders' command and control server.

The Trojan's installer can detect whether it is being launched under a debugger or on a virtual machine, which impedes its analysis. It also checks whether it is being run under Sandboxie. The Trojan operates in both 32-bit and 64-bit versions of Windows and uses different methods to compromise different platforms. The Trojan's main module can execute two new commands (compared with previous versions of Trojan.PWS.Ibank). One of them toggles on/off the feature that blocks the operation of banking client software, while the other one is used to provide the program with a configuration file from the command and control server.

Another important feature of the Trojan.PWS.Ibank malware is its ability to inject its code into various running processes. The updated version also has additional routines to verify the names of running applications, including SAP enterprise software. The SAP's suite incorporates numerous components to manage taxes, sales and turnover, and, therefore, handles large volumes of sensitive information. The first version of the Trojan, which checks the availability of SAP software in an infected system, was spreading over the Internet as early as in June: it was added to the Dr.Web virus database as Trojan.PWS.Ibank.690. The latest modification is designated as Trojan.PWS.Ibank.752. Recall, that Trojan.PWS.Ibank programs incorporate a wide array of malicious functions, which include:

• Stealing passwords entered by users and transferring data to criminals.
• Blocking access to anti-virus company websites.
• Executing commands from a command and control server.
• Running a proxy server and a VNC server on an infected computer.
• Inflicting irreparable damage to the operating system or boot sectors.

Security experts cannot help but be alarmed by virus writers’ increased interest in SAP and ERP programs attackers can employ such technologies to steal business-critical information processed by these solutions. However, it is worth noting that to date, Trojans of the family Trojan.PWS.Ibank aren’t taking any destructive action in respect of SAP software, but are checking whether it is present in an infected system and are trying to inject their code into a corresponding process if it is running. It is possible that virus makers are intending to realise the malicious potential available to them in the days to come. Security experts cannot help but be alarmed by virus writers’ increased interest in SAP and ERP programs : attackers can employ such technologies to steal business-critical information processed by these solutions.

To date, Trojans of the family Trojan.PWS.Ibank aren’t taking any destructive action in respect of SAP software, but are checking whether it is present in an infected system and are trying to inject their code into a corresponding process if it is running. It’s highly possible that virus writers are laying the groundwork for some future malicious act.