Delivering banking Trojan via malicious boot loaders

Brazil is a country whose Internet users are targeted almost exclusively by cyber crooks wielding banking Trojans. It is also a country where a majority of users still runs Windows XP on their computers.

This last fact has been taken into consideration and misused by criminals, as they devised a way to exchange the legitimate ntldr boot loader – found on Windows XP, Windows NT and Windows Server 2003 – with a malicious boot manager.

The infection starts with a downloader Trojan served to victims via a link in a spam email. The Trojan downloads two additional files and performs the aforementioned switch, and the new boot manager can now call those two files to work their “magic”, i.e. to remove files belonging to a variety of AV solutions and to a security plug-in used by many Brazilian banks.

“Once the infection is completed, the Trojan forces the system to reboot and all the changes take place,” explains a Kaspersky Lab researcher.

Then, the malicious boot loader creates the illusion that the long boot time is due to the Microsoft Malicious Software Removal Tool finding malicious files and removing them (click on the screenshot to enlarge it):

In the end, the legitimate boot loader is made active again as the malicious one deletes itself without a trace. Left behind are a banking Trojan ready for stealing information and a crippled AV solution unequipped for detecting it and other malware