Today, we're going to look at the typical representative of the last year most common malware. First thing you are probably going to think of is some kind of Fake Antivirus (Hey! We've found 156 critical malwares on your computer, buy us only for $99,99 and we're going to clean it!), maybe some destructive I-Worm (Hi, your data were crypted, send us just $5 and we'll send you the key..) or some kind of phishing Trojan (After typing www.realbrasilbankname.br, you are redirected somewhere to https://realbrasilbankname.seriousblabla.br ; Please re-enter your PIN, login, password due to important changes in our system..). You are wrong.  Forget about any visual signs, forget about strange processes in your Task Manager and..watch your data!

The reason is simple - why focusing on one thing, when we can get tons of valuable data? Let me introduce myself. My name is Trojan Horse Generic 15.BYKN and I'm nothing special. I've got thousands of brothers and sisters, usually I'm very quiet and my specialization is discreetness. You'll probably never notice my existence.

You can download me usually as some common name of program "You Must Have", only when you execute me, "nothing" happens. Well, nothing except following files are created...

%windir%\system32\sdra64.exe,

%windir%\system32\lowsec\user.ds

%windir%\system32\lowsec\local.ds

%windir%\system32\lowsec\user.ds.lll

...and following registry key is modified to load myself at system startup...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"Userinit"="%windir%\\system32\\userinit.exe, %windir%\\system32\\sdra64.exe,"

...and maybe, as "nothing" happens, you are trying executing me again and again (but I'm very lone person), I'll just create following mutexes:

"_AVIRA_2108"

"_AVIRA_2109"

...but even lone person, I'd like to communicate with world, so why not disabling Windows Firewall if following processes are not running:

zlclient.exe

outpost.exe

Okay. Maybe now you know, what am I talking about. YES. It's the most common type of malware, but that's why it's so dangerous. Strong obfuscation and custom packer makes the detection quite difficult and the daily (or even hourly) new releases demands hi-level and advanced generic detection methods. But let’s continue..

It doesn't run as simple process, but injects a remote thread into the following processes...

- winlogon.exe

- svchost.exe

...and finally, what it really does:

Why does my svchost connect somewhere to New York?

Hooks the following Windows APIs to steal information from the user computer and transfers them to a remote location:

ntdll!NtCreateThread

ntdll!NtQueryDirectoryFile

ws2_32!closesocket

ws2_32!send

ws2_32!WSASend

ws2_32!closesocket

user32!GetClipboardData

user32!TranslateMessage

user32!DefWindowProcA

user32!DefWindowProcW

user32!NtUserBeginPaint

user32!NtUserEndPaint

wininet!HttpQueryInfoA

wininet!InternetReadFile

wininet!InternetReadFileExA

wininet!HttpSendRequestA

wininet!HttpSendRequestExA

wininet!HttpSendRequestExW

wininet!HttpSendRequestW

wininet!InternetCloseHandle

wininet!InternetQueryDataAvailable

And that's it. Nearly invisible, but smart and highly efficient... The most common malware. Watch your data, they're not safe.

Thanks to Peter Gramantik and Arek Kupka