Malware distribution techniques

At first I thought of a new phishing email, based on the fact that it comes from a bank, includes a long URL in the body and it is related to your banking account where you need to renew your certificate.

Connection-Colonial Bank Renewal

Certificate Renewal
Personal (Smartcard) e-Cert  Personal e-Cert
Certificate owner must renew the certificate before expiry date.
Your certificate expiration date – 1may 2008.
The system will send email (Certificate Renewal Notice) to the certificate owner ten days and 3 hours before the certificate is due to expire, if it has not been renewed. Upon receiving the renewal notice, certificate owner is required to connect to Colonial Bank Certificate Management System and present the client certificate. Secure Server e-Cert  Developer e-Cert
Certificate owner has the responsibility to renew the certificate before expiry date. Successful renewed application will receive an email notification from Colonial Bank. Applicant can just browse to the URL stated in the email and then download the certificate.

Download now

2003 Colonial Bank, N.A.

Further investigation show us that it is indeed a technique to distribute malware. The download URL doesn’t give a login screen but takes you to a web site where you need to download the certificate and this is an .exe.

The download gives us an Colonial_CertificateUpdate04192008.exe and is in fact the Trojan-PSW.Win32.Papras. This trojan steals login credentials and other sensitive information on the compromised system. It also drops and uses a rootkit driver to hide itself. The rootkit driver is detected as Rootkit.Win32.Agent.SZ.

As always, take extra attention if you receive these kind of formatted emails.