The spammed email messages look like this:
BANK OF AMERICA CORPORATION NOTICE:
New online banking account interface "Bank of America Webbanking-2009" will be available after December 12, 2008.
Please take a look on the new account features demo page.
Bank of America provides our clients with a Demo Account to learn how to use new account interface.
You will learn how to work with the Demo Account Station below.
This link will let you know all news in the Future Online Banking with Bank of America.
DEMO ACCOUNT OVERVIEW>>
2008 Bank of America Corporation.
Why would anyone think of doing an online Demo Account malware campaign? Well, its because the Real Bank of America has invited their customers to view a demo of their new Free Online Banking.
Here's the REAL Bank of America "DEMO":
The URL for the real demo is:
What is most malware about today? Its about SOCIAL ENGINEERING. Can the criminal convince the victim that he is trustworthy by imitating someone or something that the victim is likely to trust. What is more trustworthy than your bank? So when the bank sends its customers an invitation to view a demo of their new Free Online Banking, the criminal follows suit.
Here are some of the Subject lines of the emails the criminal is sending:
- Bank of America - Demo Account
- Bank of America - DEMO ACCOUNT not working
- Bank of America - Demo Account Set Up
- Bank of America - Demo Account Setup
- Bank of America - demo account traders
- Bank of America - full access privileges for your DEMO account
- Bank of America - learn how to trade with the Demo Dealer Station below
- Bank of America - New Demo Account, Try for FREE
- Bank of America - Open A Demo Account
- Bank of America - provides our Bank of America - clients with a Demo
Account to "paper trade" the Forex market.
- Bank of America - register for a Demo Account to use new features.
- Bank of America - Setting Up Your Demo Bank of America Account
- Bank of America - Sign In.My Business Account Demo.
- Bank of America - Sign In.My Business Account Demo.
- Bank of America - The demo is best viewed with your browser
- Bank of America - Try A Free Demo Account!
- Bank of America - using a demo account
- Bank of America - View Demo Account's professional profile
- Bank of America - View Demo of Prime Account
- Bank of America - View Site View demo website
- Bank of America - We Give You The Tools You Need.
- Bank of America - We Give You The Tools You Need. Try A Free Demo Account!
- Bank of America - your Demo Account username and passcodes will be
generated and emailed to you.
Each email has a ridiculously long URL, such as:
The superlong URLs are to try to cause us good guys problems when we try to fetch their pages into Windows, or zip them up using WinZip, where we'll occasionally get errors about "path too long". In reality, we can shorten the path dramatically and get the same effect. All of the URLs we've seen can be reduced to these five:
(All of the domains were registered in China - BizCN.com and TodayNIC.com -- all of the websites are being hosted with Fast Flux, or botnet machines. If your computer is part of their botnet, then YOU might be helping to host this website.)
Visiting any of these sites shows you a webpage that looks like this:
which prompts users to download "Adobe_Player9.exe" to view the Demo of their new account.
The first phase of the virus is that Adobe_Player9.exe, which is a tiny little dropper of 3,225 bytes in size. The current version has an MD5 of 2ef0de5993873f26529ac34012eb97d9, and is detected by 17 of 37 products according to a current VirusTotal.com report.
The second phase of the virus is downloaded from the URL:
That part of the virus does all the work and plants the keylogger and rootkit. This file is 59,392 bytes in size and has an MD5 of 227c31e1b0e4867bcaefe86a674a6981. Although VirusTotal is listing 10 out of 37 products detecting this in this VirusTotal.com report, its clear that most of these AV's actually do not know what this is, even if they may think it looks suspicious.
AhnLab, Ikarus, Microsoft, and NOD32 know what this virus is. The first three call it "Ursnif" and the last calls it "Papras". That is an accurate description. AVG, McAfee+Artemis, Norman, and SecurewWeb mark it as suspicious based on the fact that it is packed. (AVG calls it "Pakes", which I believe just means "packed file").
After becoming infected, a new Windows Service called "new_drv.sys" will be running on the computer, but will be hidden from most Windows processes. (For example, doing a directory listing, even at a DOS prompt, will not show the file, and listing running processes, for instance in Task Manager, will also not show the file. That's the job of the rootkit function, to hide the existence of the new program from Windows.)
Anytime Internet Explorer is active, userids and passwords, and really anything else that is entered into an online form, are sent to the criminal.
This is the same family of malware which we have warned about so many times in the past -- Papras is the common virus name for all of the "Digital Certificate" malware, and "URSnif" is the name of the routines which do keylogging and send the keys to the badguy in this particular way. We've been talking about Digital Certificates all the way back to our May 6th Digital Certificate Alert! story.
The combination of the old Digital Certificate keylogger with the fake AdobePlayer to see a video began with the Obama acceptance speech video, as we reported the day after the election in our story Computer Virus Masquerades as Obama Acceptance Speech.