We recently blogged about a new strain of malware called VBKlip. This malware was aimed at Polish online banking users. In the last few days a new, revised version of this malware has resurfaced. This new version is written in .NET and has a few new ideas which seem to result in the fact that none of the three samples we were able to obtain were detected by any of the antivirus solutions present on VirusTotal. This is what makes this threat especially dangerous to the users. The new malware spreads as “Adobe Flash Player” and has an icon as the one on the left.
We don’t need no network…
This edition of VBKlip is very simple. First, it creates a Form, which has one of the dimensions set to zero. It also sets
<span class="text">ShowInTaskbar</span>
to
<span class="text">false</span>
, which leads to the malware not being visible in the system, unless users open the Task Manager.
Next, it uses the
<span class="text">Microsoft.VisualBasic.MyServices.ClipboardProxy</span>
class in order to manipulate the content of the Windows Clipboard. Every second (with the help of
<span class="text">Timer</span>
class) it compares the contents of clipboard to two Visual Basic regular expressions:
<span class="text">##########################</span>
or
<span class="text">## #### #### #### #### #### ####</span>
. This is a standard format of Bank Account Numbers used in Poland. If the content matches any of these regular expressions, it is substituted with another bank account number which is simply hardcoded in the application itself. This is the whole functionality of this malware.
Much like the Pink Floyd’s song, this malware just wants the security solution vendors to leave it alone. It does not use any network communication, so no network signatures can be created for this sample. No IP addresses or domain names to monitor or take down. It does not acquire any persistence, no registry entries are created. No system activity apart from the clipboard content replacement.
This has a very interesting impact. None of the antivirus products, that were available on VirusTotal when the samples were obtained, detected this malware. Not even a false positive from any of the over 45 different antivirus solutions. Links to the reports are provided below.
https://www.virustotal.com/en/file/744bae3c6f64cc4c9fb8095d57b54c7d0c827b6f5dc113aa289067f687182fc7/analysis/1389270408
https://www.virustotal.com/en/file/0c10aeb3fdf4fb0d36250d12578227599f8f2509861b6e09e27413aeb044dfa0/analysis/1389337563
https://www.virustotal.com/en/file/db375c17975d21c6749c0168cd10f9dc9d26e33b9569e1a817da88d776642653/analysis/1389270408
Summary
VBKlip is a new kind of malware, which, due to its simplicity and previously unknown behavior makes it a serious threat. It is more difficult to detect by any network IDS/IPS systems, because it simply does not create any traffic to the C&C. This threat is directed at Polish users – it contains hardcoded Polish bank account numbers and we were not able to obtain any foreign sample. Additionally, no antivirus detectability makes it even harder to fight with VBKlip. On the other hand, no persistence means that you simply can restart your computer and get rid of the unwanted behavior.
SHA256 sums of the analyzed samples are provided below.
0c10aeb3fdf4fb0d36250d12578227599f8f2509861b6e09e27413aeb044dfa0
744bae3c6f64cc4c9fb8095d57b54c7d0c827b6f5dc113aa289067f687182fc7
db375c17975d21c6749c0168cd10f9dc9d26e33b9569e1a817da88d776642653