The bug carries out all the usual financial nastiness, but is unique in its use of secure peer-to-peer (P2P) communications.
“The cybercrime underground provides a robust marketplace for buying and selling different malware variants,” said Trusteer researcher Etay Maor, in a blog. He added that unlike the name-brand banking trojans, “lurking in the dark shadows of the Internet, some cybercriminal groups prefer to remain low profile and not sell their tool of choice to the general underground public.”
Offered by a hacker going by the name Torpig, a.k.a. Sinowal, i2Ninja is one of these clandestine wares. True to its name, it is emerging now from the background, striking almost undetected.
Maor said that i2Ninja offers a similar set of capabilities to the ones offered by other major financial malware: HTML injection and form grabbing for all major browsers (Internet Explorer, Firefox and Chrome), FTP grabber and a soon-to-be-released virtual network connection, or VNC, module. In addition, the malware also provides a PokerGrabber module targeting major online poker sites and an email grabber.
But a unique P2P communications concept sets this malware apart: The non-ninja part of its name comes from the malware’s use of I2P – a networking layer that uses cryptography to allow secure communication between its peer-to-peer users. Somewhat similar to Tor and Tor services, I2P was designed to maintain a true “Darknet,” an internet-within-the-internet where secure and anonymous messaging and use of services can be maintained. The I2P network also offers HTTP proxies to allow anonymous internet browsing.
“Using the I2P network, i2Ninja can maintain secure communications between the infected devices and command and control server,” Maor said. “Everything from delivering configuration updates to receiving stolen data and sending commands is done via the encrypted I2P channels. The i2Ninja malware also offers buyers a proxy for anonymous Internet browsing, promising complete online anonymity.”
The privacy aspect would naturally appeal to the discerning cybercriminal, and Torpig talks this up in his underground advertising, which Maor published, translated from the original Russian: “We would like to introduce a unique product to you, a bot by the name of i2Ninja, and tell about its various advantages. First and foremost, is its use of the I2P network for botnet control, commands, updates, injection upgrade, removing and adding different modules.”
The big also comes with the bonus of a handy customer service option. An integrated help desk via a ticketing system within the malware’s command and control lets a potential buyer communicate with the authors and support team, open trouble tickets and get answers (all messages are, naturally, encrypted).
“While some malware offerings have offered an interface with a support team in the past (Citadel and Neosploit to name two), i2Ninja’s 24/7 secure help desk channel is a first,” Maor said.
So far, i2Ninja has not been spotted in the wild, feasting on people’s bank accounts. But that no doubt will change.
“With increasing black market activity and the release of various malware source code, we expect to see a new malware variants and new underground offerings in 2014,” Maor said. “i2Ninja has already been discussed in several Russian speaking cybercrime forums, Trusteer's Security team is actively monitoring for a live variant of this malware. Once such an attack is identified and researched we will update with new technical details.”
Rehardless, the surge of financial malware shows no signs of slowing: the third quarter of 2013 saw the number of online banking Trojans detected reach record levels, according to Trend Micro, with more than 200,000 infections reported in the period.