First Widespread Virus Cross-infection

After being in oblivion for a while, the Xpiro family of file infectors is back with a bang—and this time with some notorious capabilities. Not only does the new variant infect 32-bit files, it also has broadened its scope of infection to 64-bit files. The infections are cross-platform (a 32-bit Xpiro variant can infect a 64-bit executable file, and vice versa) and persistent in nature. Additionally, this virus has also enhanced its information stealing capabilities by adding Firefox and Chrome extensions to monitor browser sessions.
 
Cross-infection and persistence
While we have seen cross-infectors in the past, Xpiro is the first widespread family of infectors which implements this feature. This new variant can infect executable files from the following architectures:
  • Intel 386 (32-bit)
  • Intel 64 (64-bit)*
  • AMD64 (64-bit)
The creators of Xpiro are looking to infect a larger number of computers. They are leaving no stone unturned in their attempts with the introduction of this cross-infecting capability with persistence. 
 
Traditionally file infectors were known to spread by infecting other executables while not caring about persistence. This variant uses an astute technique to achieve both. Firstly, it enumerates all win32 services and attempts to infect the service files.  It then follows all the link files (.lnk) on the user’s desktop and start menu folders to infect the target files. It chooses these files because they have the highest probability of being run by the system or the user when the computer first starts, thus remaining persistent on successive reboots. Finally, it infects all executables from drives C to Z if the drive is fixed, removable, or mapped.
 
*The Intel64 bit files are infected by the new variant but due to a bug in their code, it renders the files corrupted. Symantec detects and repairs such files to their correct state.
 
Enhanced information stealing
The ultimate goal of the Xpiro  has been to steal information from the infected host. The goal remains the same, except it is stealthier now. When an Xpiro infector runs on a computer, it now also adds a Firefox or Chrome extension, in addition to infecting executable files. The Firefox extension is hidden, but the Chrome extension is named “Google Chrome 1.0” so it can pass as a clean extension and mask its presence. The Firefox extension, for instance, can perform the following actions:
  • Hide extension presence
  • Lower browser security
  • Spy on user Internet activity
  • Steal logs
  • Redirect browser to predefined URLs
After installation, when a new instance of Firefox is opened it is visible that a new add-on has been installed, but the extension cannot be found in the extension list.
 
xpiroblog_fig1.png
Figure 1. Extension list before infection
 
xpiroblog_fig2.png
Figure 2. Extension list after infection
 
The Xpiro extension hides itself from the extension list, showing same number of extensions before and after infection. It also lowers browser security by modifying the browser configuration.
 
xpiroblog_fig3.png
 
Figure 3. Reduced browser security
 
When a user tries to update the browser or browser extensions, the updates won’t take place because Xpiro replaces the update URL with 127.0.0.1, a local IP address. Xpiro does this to avoid any change in configuration that may possibly expose itself as malware.
 
xpiroblog_fig4.png
Figure 4. Xpiro-disabled update
 
The hidden extension disables many security warnings normally shown in the browser to warn the user. The extension also disables some safe browsing features which would otherwise provide phishing protection to users when enabled.
 
Xpiro monitors all HTTP activity in the browser and uploads it to a remote server. It then downloads the following lists from predefined servers:
  • Target URLs
  • Redirection URLs
When a user browses to one of the target URLs on the list, the extension redirects the browser to a corresponding URL from the redirection list. The redirected URL could be an advertising page or a page which downloads more malware. 
 
The Xpiro attackers have upgraded the threat’s functionality to be persistent, stealthier, and most importantly to cross-infect executable files on multiple platforms. Other infector families may be expected to follow suit and add sophisticated functionality to their arsenal in order to be more potent and viable across different platforms. Symantec, however, is committed to protecting your data and information against such advanced threats. Symantec detects this new variant of the Xpiro family as W32.Xpiro.D and W64.Xpiro and also repairs damaged files. Symantec customers are advised to keep their virus definitions up to date.