Downloader.Chepvil and the Malicious Feedback Loop!

Technical analysis: Poul Jensen, Illustrations: Ben Nahorney

Meet Downloader.Chepvil, a malware that has been creating quite a lot of noise recently, hitting inboxes far and wide. This threat begins life as an innocent-looking email and quickly transforms itself into a powerful blended threat capable of stealing information, installing misleading applications, and mailing additional copies of itself from newly compromised computers.

To begin with, let’s take a look at the initial email. It usually follows a predictable format – an enticing message encouraging the victim to open the email attachment.

The content of the email will change frequently; but as an example, a recent set of emails contained the following message:

Dear customer.

The parcel was sent to your home address. And it will arrive within 3
business days.
More information and the tracking number are attached in document

Thank you.

Execute the file contained within the attachment at your peril! Downloader.Chepvil lies in wait and wastes no time inviting some unwelcome friends along to the party.

Once executed, a request is sent for an encrypted configuration file stored at Downloader.Chepvil now has its instructions to install the additional components.

These components are:

•    The Mailer (Trojan.Asprox)
•    The Harvester (An additional Downloader.Chepvil component)
•    The Moneymaker (SystemTool)

The following image illustrates this installation process more clearly in a step-by-step approach:

Ok, so now we’re in real trouble! What are Downloader.Chepvil’s three unwelcome friends capable of? Let’s introduce them:

The mailer:

Trojan.Asprox has been on our radar since June 2007, and for this operation it has been configured to send out the previously described emails (the initial infection vector).

Trojan.Asprox receives an emailing configuration template that has been observed to contain:

•    Approximately 2,000 target email addresses
•    A copy of Downloader.Chepvil to be attached to the email
•    A list of spoofed “From” addresses and “Subject” titles to introduce some variety into the sent emails.

This target email list of around 2,000 addresses is a subset of the entire list available to the attacker. Similar templates will be simultaneously sent out to all of the compromised computers that are under the attacker’s control and contain the Trojan.Asprox component.

The following table illustrates how well this model scales:

Compromised computers Emails
1 2,000
10 20,000
100 200,000
1000 2,000,000

The harvester:

This component is a comprehensive information-stealing component that is capable of harvesting email addresses and a wealth of credentials from a wide variety of applications and uploading them to the attacker at This stolen information is useful in many ways to the attacker, but two would prove extremely useful:

1.    Email addresses can be used to further feed the emailing component of the threat, in effect broadening its reach during the emailing phase.
2.    The stolen credentials can also be used to compromise additional servers in order to host SystemTool and Trojan.Asprox and make them available for download.

Over a short period of just over a week, 16 different servers were observed hosting these Trojan.Asprox and SystemTool components. Downloader.Chepvil uses these compromised servers to serve up malware for periods of between 3 and 53 hours.

So, why all of this effort?

The money:

SystemTool is a misleading application capable of causing serious system disruption and displaying exaggerated reports on a computer’s status. End goal? – Get the user to part with some money in order to install the “full product” and restore system stability and security. THIS WILL NOT BE THE CASE!

It is likely that the Downloader.Chepvil attack just takes a pay-per-install fee for the SystemTool threat. It is also highly likely that the SystemTool component will change to some other revenue-generating application over time.

The whole is greater than the sum of its parts:

Configuring some independent malwares to work together can have powerful results, for example:

1.    A configurable mailer component can further distribute Downloader.Chepvil.
2.    A configurable Downloader.Chepvil component can be used to establish the blended threat environment on the newly compromised computer
3.    An information-stealing component with stolen data that can be fed back and used in stages 1 and 2. This creates a positive feedback loop, in effect, expanding the reach for every subsequent phase of the operation.
4.    The attacker is then capable of expanding the network and further monetizing the whole operation through any of the following options:
       •    Install pay-per-install malware (The current revenue-generating technique)
       •    Sell on stolen credentials?
       •    Utilize the Trojan.Asprox network for SPAM in tandem with distribution?

We will continue to keep a close eye on this nasty piece of work. So in the meantime, ensure that you have the most up-to-date protection and be vigilant when clicking links or opening attachments in your email.

Thanks for reading!