Our analysis of Trojan.Jokra, the threat which recently caused major outages within the Korean Broadcasting and Banking sectors, has produced another wiper.
Security researchers the past few days have been discussing the wiper component found in this Trojan, specifically different wiper versions and the timings involved. We have seen the following strings used in four different variants:
- HASTATI and PR!NCPES in combination
Three wipers are packaged as a position-independent executable (PIE) and a fourth as a dynamic-link library (DLL) injection. There are also some differences in regard to the timing.
Table. Trojan.Jokra wipers
Two of the wipers were instructed to immediately wipe upon execution. Another was instructed to wipe specifically at 2 PM on March 20, 2013. We have recently come across another sample (530c95eccdbd1416bf2655412e3dddb) that wipes at 3 PM on March 20, independent of year.
Figure. Trojan.Jokra wiper countdown
To ensure that your machine is protected from Trojan.Jokra and other threats, please ensure that your computer has the latest patches installed and that you have the most up-to-date antivirus definitions installed.
Tidserv (a.k.a. TDL) is a complex threat that employs rootkit functionality in an attempt to evade detection. The malware continues to be on the Symantec radar since its discovery back in 2008. The latest variant of Tidserv being distributed in the wild has began to employ the legitimate Chromium Embedded Framework (CEF). While this may not be the first time a malware has made use of a legitimate framework for nefarious purposes, this new Tidserv variant requires the download of the 50 MB framework to function correctly, which is an unusual thing for a threat to do.
The Backdoor.Tidserv variant uses a modular framework that allows it to download new modules and inject them into clean processes. Previous variants of Tidserv had used a serf332 module to perform network operations, such as link clicking and ad popups. It does this using COM (Component Object Model) objects to open Web pages and inspect page content. In the last week we have observed Tidserv downloading a new module called cef32. This new cef32 module has been found to have the same functionality as serf332 but requires cef.dll which is part of the CEF. Unusually, this requires a download of the full 50 MB CEF to the compromised system.
There has been a considerable increase in the download of the CEF over the last 18 days. While we cannot be certain as to how many of these downloads may relate to Tidserv infection activities, if these downloads are a result of the malware the number of computers compromised with Tidserv would be sizeable.
Figure 1. Chromium Embedded Framework downloads, last 18 days
Using the CEF allows Tidserv to move a lot of the basic Web browser functionality out of its own modules and into the CEF library. This allows for smaller modules that are easier to update with new functionality. The downside of Tidserv using CEF is that the cef32 module needs the CEF cef.dll Dynamic Link Library in order to load. The URL to the CEF zip file for download is currently hardcoded in the serf332 binary, so any change to this URL will require an update to the serf332 module.
The Chromium Embedded Framework (CEF) and its authors do not condone or promote the use of the CEF framework for illegal or illicit purposes. They will take all actions reasonably within their power to frustrate this use case. For that reason the binary that was being used by the malware product from the Google Code project page has been deleted. Other means of providing free binaries to users that protect, as much as possible, against this or similar abuses will be explored.
Symantec is continuing to track the evolution of threats such as Tidserv. Symantec recommends that you use the latest STAR Malware Protection Technologies to ensure the best possible protections are in place.