372 days, 626.000 downloads. Those numbers are from a free tool called BankerFix that is developed at Linha Defensiva by myself with help from the other team members.
What is so good about this tool? Nothing. It’s a single VBS script, ran by a batch file to create a persistent window on the screen. The script uses tools such as PrcViewer to end malicious processes and does matching by filenames and MD5 hashes and file sizes. As the name implies, BankerFix’s main target are Banker trojans — malicious code that steals bank accounts.
The tool completed one year last week without reminding me of its birthday (as if it could). The forum topic which contains the definition list has a creation date of July 21th, 2006, so the tool was made public exactly one year and a week ago, or 372 days.
I’ll admit — those download stats are inflated by the fact that, until recently, the tool did not had any update mechanism. Anyone who wanted to run it regularly had to manually download a newer version from the website, thus making the download counter go up. The new version of the tool, however, contains an update option which doesn’t count as a download and defaults to checking for a newer version every time it’s ran. The page that serves as the redirector for updates had 145.000 hits last month, so that’s how many times the tool was ran (at a minimum).
Although those numbers are worrisome — as the tool only removes Brazilian Bankers and is targeted only at Brazilians, it has a very restricted “market” –, they are not the “best” numbers we had. Before BankerFix — which targets any Brazilian Bankers we can get our hands on –, we released several other tools to remove specific MSN Messenger worms which had risen to epidemic levels. One of such tools is the one that almost made the heads of everyone at Linha Defensiva spin.
It was the first worm targeted at users of Google’s Orkut — at least the first one which got large enough to show up on our radar. To spread, it sent a message: “Take a look at the photos from the party. They are awesome”, followed by a link to an EXE file. The worm could send it as a “scrap” to every “friend” in the user’s Orkut profile. Orkut is the easily the largest social network website in Brazil. We detected the worm in May 21th, 2006.
A simple batch script to end the worm’s process and delete the file was created as a removal tool. We published it. The story on the website was quickly flooded with comments and our server hammered with download requests. In all, it was about 300.000 in one week. The link to the tool spread like wildfire among Orkut users. AWStats registered no less than 110.300 incoming links from Orkut that month. And the tool was published in May 22th. By comparison, the next month (June 2006) had only 22.200 incoming links from Google’s social network.
That last week of May 2006 was a really crazy one. We had a download counter going up by the tens while dozens of users were creating threads asking for help in the forums (as a member of ASAP, we provide free malware removal support). The tool we created, however, made it easier for us to keep waiting times low as we could quickly direct infected users to an automated solution.
Unfortunately. Orkut worms didn’t stop there. We had another one soon enough. Thankfully, it didn’t became as big. While the links were still up I contacted Chris Boyd of FaceTime (and VitalSecurity). He published a writeup at SpywareGuide detailing its functions (the FallenHawk researcher cited in the post is me).
The infections were becoming too numerous for us to keep creating separate tools. It would also be impossible for users to quickly be able to tell which one they were infected with to run the correct tool. That was when the idea to create a “generic” Banker remover was conceived. By July 2006, BankerFix was released. Today, there are plenty of Orkut and MSN worms going around. No one of them is making too much noise alone, but they all together are a much bigger problem than that worm was in 2006.
I’m not a good programmer. I’ll take words over code any day of the week. Although the download numbers might be impressive, they say more about the poor law enforcement and lack of user education than BankerFix’s quality or my abilities as a programmer.
The price of computers in Brazil recently fell as the government lowered taxes and created “digital inclusion” (”PC For Everyone”) programs. The people who are using those machines aren’t getting any training or education. Traditional media and press rarely talk about computer security issues, and few feel “geeky” enough to read tech websites.
I’m aware that BankerFix’s “success”, if we can call it that, is the result of continuing failures in law enforcement and user education. But while those aren’t fixed, we’ll keep doing what we can.