Trojan Horse Using Sender Policy Framework

It is important for malware authors to keep a solid network connection between their malware on compromised computers and their own servers so that the malware can receive commands and be updated. However, communication between the malware and the malware servers may be filtered by a gateway or local firewall, or blocked by an intrusion prevention system (IPS). Consequently, malware authors try to find more secure methods of providing communication between the malware and the servers. For example, I wrote a blog last November detailing how Backdoor.Makadocs uses the Google docs viewer function as a proxy to maintain a solid connection between the malware and its servers. More recently, I discovered a Trojan horse that uses Sender Policy Framework (SPF), which is an email validation system designed to prevent email spam, to achieve the same goal.

Basically, SPF consists of a domain name server (DNS) request and response. If a sender’s DNS server is set up to use SPF, the DNS response contains the SPF in a text (TXT) record.

Figure 1. How SPF works

The following matrix contains some SPF examples of major legitimate sites.
 

Table 1. SPF examples of major legitimate sites

The point for the malware author is that domains or IP addresses in SPF can be obtained from a DNS request and this DNS request doesn’t need to be requested from a computer directly. Usually the local DNS server is used as a DNS cache server. The DNS cache server can send a request instead of the computer.
 

Discovery of a Trojan horse using SPF

Recently, I discovered a Trojan horse (detected by Symantec products as Trojan.Spachanel) that uses SPF. Basically, it hijacks a Web browser to inject malicious content into every HTML page. The process of how the malware carries out an attack is illustrated below.

Figure 2. How Trojan.Spachanel carries out an attack

Below is a captured SPF record that is received from the attacker’s DNS server.

Figure 3. A malicious SPF record

The following is an example of JavaScript that is inserted at the end of an HTML tag. The obfuscated URL in the below image is the same as the obfuscated URL in Figure 3.
 

Figure 4. Example of JavaScript inserted after an HTML tag

Why did the attacker use SPF to get the malicious domains or IP addresses? My guess would be that it is because the attacker wants to hide communication in legitimate DNS queries. If this malware connects to the attacker’s server by a higher port number using the original protocol, it may be filtered by a gateway or local firewall, or blocked by an intrusion prevention system (IPS). In some cases, specific domains are blocked by a local DNS server, but this malware generates a domain that is rarely filtered. Furthermore, DNS requests are generally speaking not sent directly. Usually there is a DNS cache server in the network or in the ISP network, which makes it difficult for a firewall to filter it. Therefore, this is the attacker’s attempt to maintain a solid connection between the malware and the attacker’s server.
 

What happens after infection?

The inserted JavaScript tag loads the malicious content, which overlays a pop-up window on the bottom left corner of the browser. The legitimate site itself is not actually infected nor connected with the popup content in any way. (In Figure 5, the site used to illustrate this effect is the Symantec home page.) The JavaScript is only inserted into the compromised computer’s browser and not the Web server. Therefore, computers that aren’t compromised by this malware will not see the window.
 

Figure 5. Legitimate site appearing to display malicious content

So far, we have seen the following four types of pop-up windows.
 

Figure 6. Four examples of malicious pop-up windows

From what we have seen, if a button on the “PC Speed Test” or “PC Performer Test” pop-up window is clicked, the browser redirects the user to a security risk download site. The “how fast can you build your muscle mass?” pop-up window looks like an advertisement, but at the time of writing nothing happens if the button is clicked. We have only seen the “captcha” pop-up window in one attack and we have not yet analyzed it to see what it does.

Evidently the purpose of these attacks is to make money for the attacker by selling security risks and clicking advertisements.

To stay safe, please ensure that your computer has the latest software patches installed and always keep your antivirus definitions up-to-date.