Chicken or Egg: Where Does W32.Changeup Come From?

­Throughout history, philosophers and scientists have pondered the question of which came first: the chicken or the egg. Over the last week, Security Response has seen an increase in the number of W32.Changeup detections. We know that Changeup can download a bevy of other threats onto a compromised computer. But an unanswered question is how does W32.Changeup compromise a computer in the first place?

While other vend­­­­ors have indicated the latest round of Changeup has spread through social networking websites, Symantec Security Response has managed to identify one source of the worm.

In recent malicious spam claiming to contain a secure message from banking institutions (Figure 1), users are instructed to download an attached file and execute it. This securedoc.html.zip file is actually an executable file that Symantec detects as Downloader.Ponik.

Figure 1. Downloader.Ponik attached to spam

Once the user executes this file, Downloader.Ponik attempts to contact different URLs in order to locate and download the peer-to-peer version of Trojan.Zbot (also known as Gameover). Trojan.Zbot will then download and execute W32.Changeup.

Figure 2. Steps in Downloader.Ponik attack

Symantec has antivirus and intrusion prevention system signatures in place to protect customers from Ponik, Zbot, and Changeup.

Antivirus protection

Intrusion Prevention System signatures

In addition to the most current antivirus protection and intrusion prevention signatures, Security Response recommends companies warn employees about downloading attachments from email.

While W32.Changeup spreads to network shares and removable drives, we have also observed it downloading the peer-to-peer Trojan.Zbot as well, so one malware may come before the other interchangeably. It is plausible then that the driving force behind the recent rise in Changeup detections is actually to help distribute peer-to-peer Trojan.Zbot.