Content
PWS-BoldDie
- Type
- Trojan
- SubType
- Password Stealer
- Discovery Date
- 03/19/2009
- Length
- Varies
- Minimum DAT
- 5559 (03/20/2009)
- Updated DAT
- 5559 (03/20/2009)
- Minimum Engine
- 5.3.00
- Description Added
- 03/19/2009
- Description Modified
- 06/04/2009 12:02 AM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
-- Update June 04, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/06/03/atm_trojans/
--
This Trojan is designed to steal passwords at ATMs that are using Diebold software.
Upon execution, this Trojan will drop the following alternative data streams:
- %WinDir%\greenstone.bmp:redstone.bmp
- %WinDir%\greenstone.bmp:bluestone.bmp
- %WinDir%\lsass.exe
- %WinDir%\[SERVICE]:pwrstr.dll
Alternately, the following file is dropped for non-NTFS hosts:
- %WinDir%\Greenstone.bmp
The following registry key modification is made to the Protected Storage Service path and type:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ProtectedStorage\ImagePath: "C:\WINDOWS\lsass.exe"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ProtectedStorage\Type: 0x00000110
The alternative data stream '[SERVICE]:pwrstr.dll' will inject itself into the mu.exe and SpiService.exe processes while inter-process communication is accomplished using the named pipe: '\\.\pipe\lsndbd'.
Information on ATM transactions will be held in the greenstone.bmp:redstone.bmp alternative data stream. There is functionality in the interface to print out this data. This information will be accessible to the attacker after authentication, via certain commands in a series of ATM graphic interfaces.
Commands available to the attacker also include:
- 1..4 - dispense cassete
- 9 - Uninstall
- 0 - Exit
Symptoms
- Presence of aforementioned alternative data streams
- Presence of aforementioned threads in processes
Method of Infection
Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficialTrojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systemsDistribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
-- Update June 04, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/06/03/atm_trojans/
--
This description is for a password stealing Trojan.
There are several variants of this Trojan, and the characteristics of this Trojan with regards to the file names, information stolen, etc. will differ, depending on the way in which the attacker has configured it. Hence, this is a general description.
Aliases
- Backdoor.Win32.Skimer.c (F-Secure)
- Backdoor.Win32.Skimer.c (Kaspersky)
- Trj/CI.A (Panda)
- Troj/Skimer-A (Sophos)
- Trojan.Skimer (Symantec)
- Trojan.Skimer.origin (Dr.Web)
Characteristics
Characteristics -
-- Update June 04, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.theregister.co.uk/2009/06/03/atm_trojans/
--
This Trojan is designed to steal passwords at ATMs that are using Diebold software.
Upon execution, this Trojan will drop the following alternative data streams:
- %WinDir%\greenstone.bmp:redstone.bmp
- %WinDir%\greenstone.bmp:bluestone.bmp
- %WinDir%\lsass.exe
- %WinDir%\[SERVICE]:pwrstr.dll
Alternately, the following file is dropped for non-NTFS hosts:
- %WinDir%\Greenstone.bmp
The following registry key modification is made to the Protected Storage Service path and type:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ProtectedStorage\ImagePath: "C:\WINDOWS\lsass.exe"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ProtectedStorage\Type: 0x00000110
The alternative data stream '[SERVICE]:pwrstr.dll' will inject itself into the mu.exe and SpiService.exe processes while inter-process communication is accomplished using the named pipe: '\\.\pipe\lsndbd'.
Information on ATM transactions will be held in the greenstone.bmp:redstone.bmp alternative data stream. There is functionality in the interface to print out this data. This information will be accessible to the attacker after authentication, via certain commands in a series of ATM graphic interfaces.
Commands available to the attacker also include:
- 1..4 - dispense cassete
- 9 - Uninstall
- 0 - Exit
Symptoms
Symptoms -
- Presence of aforementioned alternative data streams
- Presence of aforementioned threads in processes
Method of Infection
Method of Infection -
Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficialTrojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systemsDistribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
