Using Trusted Software to do the Dirty Work

We recently discovered an interesting Trojan horse that changes the home page of Internet Explorer and redirects traffic from certain domains to this page.

Normally this wouldn’t be out of the ordinary, but rather than use their own Trojan code, the malware authors have chosen a different way to build their malicious package. Utilizing a component of KingSoft Internet Security, they have built a package consisting of the KingSoft WebShield browser protection software. The package contains configuration files that are crafted in such a way that allows KingSoft WebShield to perform correctly, but also allows the malware authors to use a real browser protection package instead of customized Trojan code.

The Trojan is packed in an AutoIT package. Specifically, this package consists of the following Kingsoft WebShield and support components:

  • kswbc.dll
  • kswebshield.dll
  • KSWebShield.exe
  • kwssp.dll
  • kwsui.dll

All of these files are intact and are digitally signed by "Zhuhai Kingsoft Software Co. Ltd". They are normally distributed as part of a previous version of the Kingsoft Internet Security package, which is designed as an anti-phising/browser protection software application.

However, the interesting part of this package is in its configuration, which allows an opportunity for malicious intent. Kingsoft WebShield has the ability to lock the home page to a specific domain as well as to redirect URLs based entirely on plain text configuration files. This means that a person with malicious intent can repackage it using malicious configuration files and use this as a home-made Trojan package.

When the AutoIT package runs, it unpacks the executable and .dll files; puts them in the appropriate folders; and sets up the program service, imitating a normal installation. It then creates the following two configuration files:

  • kws.ini
  • spitesp.dat

The above configuration files control the home page and redirection domain list, respectively.

The ‘kws.ini’ file is responsible for settings pertaining to locking the current home page and the desired home page URLs. The following is a list of home pages known to be associated with the threat, which are advertisement link farms:

  • hxxp://www.91xiaz.com/cn/?
  • hxxp://www.ww2221.com
  • hxxp://wvw.86819.com/

 

The ‘spitesp.dat’ file contains configuration details for a list of domains, which get redirected to the URL in the ‘kws.ini’ file in the event that a user tries to access them.

The following is a list of domains known to be redirected by the threat:

  • 1188.com
  • 360.com
  • 365j.com
  • 7f7f.com
  • bbs.360.cn
  • go2000.com
  • qq.com
  • qq5.com

Users are prevented from accessing these Web sites, which are all quite popular in China, as the threat redirects the browser to the pre-determined advertisement home page. Certain Web sites offering help with computer problems are also blocked and redirected (e.g. 360.cn).

Additionally, the threat deletes all Quick Launch icons except Internet Explorer. If Internet Explorer is not present in Quick Launch, a shortcut is created for it. This is possibly an attempt to ensure that a user must use Internet Explorer to browse the Internet as the Kingsoft WebShield package only works in the desired manner for Internet Explorer.

The Trojan also installs itself as an automatic service. Furthermore, as there is no uninstaller for this particular package, removal can prove to be quite challenging.

The Kingsoft WebShield otherwise behaves exactly as it is designed to, which may possibly prevent a user from recognizing that this particular WebShield package has been reconfigured.

These samples are currently detected by Symantec as Trojan Horse.