We have recently received a new threat that targets users of the eBay auction site and, more specifically, motor auctions. The threat, named Trojan.Bayrob, is quite advanced and tries to implement a man in the middle style attack. While we have previously seen Infostealers that try to steal your username and password, a threat attempting a man in the middle attack on eBay is very unusual.

Man in the middle attacks are very powerful, but are also difficult to code correctly. Trojan.Bayrob takes the approach of implementing a local proxy server and directing traffic bound for eBay through this local proxy server. The proxy server listens on localhost port 80.

To send traffic through its proxy server, Trojan.Bayrob changes the etc/hosts files to force traffic bound for the following sites through the local proxy server:
My.ebay.com
Cgi.ebay.com
Offer.ebay.com
Feedback.ebay.com
Motors.search.ebay.com
Search.ebay.com

Trojan.Bayrob then connects to the following servers to download configuration data (the Trojan can also download an updated list of these control servers):
Superdigitalprices.com
Wai-k-mart.com
Wal-stop-mart.com
Onemoreshoot.com
Jdo24nrojseklehfn.com

These servers are duplicates of each other and the Trojan regularly pings them to check that they are still active (using the isup.php script). Each of these servers contains the following scripts:
Var.php
Cfp.php
Hst.php
Var-user.php
Ping.php
Isup.php
Ban.php
Setvar.php
Getip.php
Hostname.php
Hst-user.php
Exe.php
Contact.php

The most interesting of these scripts is var.php; this script returns many different variables, which will be used in the attack. The downloaded variables include tokenised versions of legitimate eBay pages. An example is shown below:

(Go to article for screenshots)

When the user requests a real “ask a question” page, they will be presented with this fake page instead. The page has been tokenised to allow the Trojan to easily replace important strings with its own. In the example above, the %seller_name%, %item_number% etc will be replaced with variables that the Trojan will download.

In total, the Trojan downloads 10 fake pages–although this is also variable:
%ask_page% - Fake Ask a Question Page
%bin_page% - Fake Buy it Now Page
%ended_page% - Fake Auction eneded Page
%commit_page% - Fake Review and Commit to Buy Page
%feedback_page% - Fake Feedback page
%payment_page% -
%insert_won% -
%insert_paid% -
%trust_and_safety% -
%item_specifics% -

The fake feedback page is interesting and is shown below, it shows a high feedback rating so that the user will be confident to continue and finish the auction:

The exact motive behind the Trojan is still a mystery since at the time of writing the servers are not sending down the %item_number% and %seller_name% variables that may show which auction the user should be redirected to, and without which, the Trojan will not start to show fake pages.

Further analysis is on going, and we will update this blog as soon as we have any further information. Symantec detects this threat as Trojan.Bayrob. Another way to prevent the attack is to block the domains shown above at the firewall; however, these domains will no doubt change since the Trojan is capable of updating the list.

On March 5, we posted a blog about a new threat called Trojan.Bayrob that targets users of the eBay auction site and, more specifically, motor auctions. Following further research, we are able to shed some more light on the mechanics of Trojan.Bayrob. As stated previously, this attack is targeted at users who will be highly likely to buy a car on eBay, (e.g. second-hand car sales companies).

In this attack, victims are sent an email about a car that is being offered for sale. The email contains a legitimate slide show program that shows images of the car on offer; however, the email also contains the Trojan.Bayrob file. Below are two examples of what the slide show looks like. While the victim views the slide show, the Trojan is silently being installed in the background.

Continues with screenshots and more