I guess the answer is “i r o n y”: Last week a Bromium field employee searched for “polymorphic” on dictionary.com and was treated to a gloriously literal definition: The site dropped a banking Trojan!
Although the user was unaware of the attack and continued working, vSentry automatically isolated the attack, erased the malware and alerted Bromium HQ. The report provided, in real-time, a detailed forensic trace of the malware as it executed, together with an encrypted manifest containing the malware itself. This allowed the Bromium Labs team to immediately see what had happened. The LAVA trace is shown below, as it “popped”:
The attack is incredibly noisy – reaching out to scores of C&C sites and DNS servers. If we turn off visualization of the network traffic and use the tools in LAVA to identify malicious activity, we can immediately zoom in on the crux of the attack, which is pictured below. The site invokes Java, injects shellcode, and downloads, drops and executes OBPUPDAT.EXE, whose MD5 hash is shown on the screenshot. The attack also modifies 35 Registry settings to persist, sets a new browser proxy, and starts a process to capture keystrokes.
The attack is a variation on previously delivered banking trojans. OBPUPDAT.EXE steals user account details and other information delivered to the browser, and captures user passwords. It can also download malicious software and allow remote access to the compromised device.
The attack was delivered by dictionary.com on July 7th. The first AV vendor fix emerged on July 9th, but we don’t know how long the attack existed in the wild. Virustotal has vendor signatures and analysis.