Backdoor.Lavandos.a – The Ultimate Keylogger
Although it is especially optimized for ripping off e-banking users of some institutions based in Russia and Ukraine, the tool goes to great lengths in order to ensure that it will successfully snatch your account, no matter where you live.
Once on the system, Backdoor.Lavandos.A immediately gets down to business and injects 3 dll files and a driver that are contained within its binary file, each having a precise task of absolute importance for the impeccable functioning of the malware.The original .exe file checks what browsers are installed on the PC in order to generate for each browser a “setupapi.dll” in the installation root folder for Mozilla® Firefox®, Opera® and Internet Explorer® browsers.
Another .dll file will be created in C:windowssystem32sfcfiles.dll. The clean original sfcfiles.dll file is encrypted and added as a registry value in HKEY_LOCAL_MACHINESOFTWARESETTINGSCryptoHash. Furthermore, it is also added tosfcfiles.dat. In order to eliminate any suspicion, the modified & infected sfcfiles.dll will have the same size and attributes as the original file.
The Lavandos dropper will also create a driver in %windir%system32driverssfc.sys. However – and this is extremely interesting about this particular piece of malware – the driver will not remain on the disk longer than necessary. It will be stored into the Windows Registry instead as binary data for discretion reasons.
Inside the intricacies of Lavandos
The dll files are used by the malware to automatically update the driver and load it when necessary. Storing the driver in the Registry dramatically reduces the chances for antivirus utilities to pick it up and remove it.
The update code is downloaded from hardcoded URLs that are encrypted and stored into HKLMSOFTWARESETTINGSHashSeedBitDefender labs have identified that the update is downloaded from multiple domains named after the following pattern: http://mv[removed]r.com/vito/page.php, http://at[removed]an.org/vito/page.php, http://s[removed]ler.net/vito/page.php, http://se[removed]dm.cn/vito/page.php, http://a[removed]0.net/vito/page.php, http://g[removed]ks.com/ole21/page.php.
When lib.dll has to load the driver, the data saved in Registry under the value HKLMSOFTWARESETTINGSDriveSettings is decrypted and written on the disk in the file: c:windowssystem32driverssfc.sys. Immediately after the driver is loaded in memory, the file is deleted.
What is particularly interesting about the Trojan is the fact that it will download other 15 dll files named all dll.dll which it will store not on disk, but also as binary data in the Windows Registry.
The first dll.dll file communicates continuously with the server. The goal is to permanantly keep the server addresses updated. Lavandos sends the identification data (the IP address, ports and hostname) of the hijacked computer along with the collected information to the C & C server. This dll file also collects usernames and passwords from e-banking sites by hooking browser’s InternetOpenA and InternetopenW functions. When successfully intercepting a login combination, it hashes the data and stores it into the Registry under the HKLKSoftwareMicrosoftWindows key. Every time it successfully gets an username and a password, it will send all the contents of the above-mentioned Registry key via a POST request to the C & C server.
The second dll.dll file intercepts FTP account information such as hostname, IP, destination port, username and passwords, which will also be encrypted (this time using Base64) and stored into the same Registry key.
The third dll.dll file looks for Registry keys created by specific FTP client software and tries to read from the Registry keys used by each distinct application to „memorize” the connectioncredentials. The DLL can recognize 14 of the most important freeware and commercial FTP application, which guarantees a high rate of success.
The fourth dll file is a keylogger which hooks the TranslateMessage function, intercepts the pressed key and stores it into a buffer. Moreover, it „reads” the class name of the foreground window; if it is named “java.sun.awt.bifit” (bifit ->banking and finances technologies on internet), the malware takes a screenshot and saves it to the clipboard.
Some of the other dll.dll files intercept various functions in proprietary banking applications and are also used to manipulate browser functions to import certificates or to accept a self-signed certificate as trusted.
Although the backdoor file does not deploy a rootkit driver, it manages to subvert critical Windows functions and to compromise the browser’s and FTP client’s security. This tricky piece of malware plays all its cards on absolute stealth by keeping an absolute minimum of files written on disk and by keeping data transmission to its bare essentials.
If you have a BitDefender product installed, there is no need to worry, as Backdoor.Lavandos.A has been detected since its emergence. If you don’t have a BitDefender product installed and would like to check whether you are infected or not, we have a free removal tool available for download.
Some information in this article is available courtesy of BitDefender malware researcher Cristina Vatamanu. The removal tool is available courtesy of virus analyst Vlad Craciun.