Cidox Trojan Spoofs HTTP Host Header to Avoid Detection

Lately, we have seen a good number of samples generating some interesting network traffic through our automated framework. The HTTP network pattern generated contains a few interesting parameters, names like “&av” (for antivirus?) and “&vm=”(VMware?), The response received looked to be encrypted, which drew my attention. Also, all the network traffic contained the same host header pointing to These samples turned out to be related to the Cidox Trojan family. Here is the Wireshark packet capture of the Get request:


One might immediately conclude that the host name in the Get request is the culprit and may be compromised, or it is an attacker’s domain that isn’t correct for this sample. The domain looked to be legitimate because is the largest search engine in Russia. To confirm, I quickly checked the packet capture for the DNS request and IP address (where the Get request was sent); it differs from the IP address of This tells me that the host header in the Get request is spoofed and must be hard-coded in these samples.

We have seen this trick used recently by malware authors in which HTTP host headers are spoofed to point to legitimate domains to evade detection based on host headers or to evade researchers or automated tools. The response from remote server was encrypted, so I decided to look into it.

The malicious binary used a custom packer and wasn’t difficult to unpack.


Once unpacked, you can see several interesting strings in the binary, below:


This binary checks whether the sample is running under VMware and also looks for antimalware services. Remember, the network traffic shown earlier contains “&vm=” and “&av=” parameters. We can conclude this binary sets those parameters based on the preceding checks. I could go on and on in this blog, but for your sake I will focus only on a couple of important items. The binary starts its main operation by the process replacement method to overwrite the memory space of a running process with a malicious executable. The binary creates an “explorer.exe” process in suspended mode and maps the process memory with its own code, as shown next:


It then executes the mapped binary code with the “ResumeThread” procedure. The binary next drops a few files:


It sets a registry key with the value that is the path to a DLL, so that each process using user32.dll will load this DLL. Also it drops some configuration files under the Cookies directory:


The cf file is encrypted and we will look into the encrypted file shortly, but first we need to see the HTTP header generated by this binary. The binary collects information such as browser, operating system, antimalware and VMware checks, OS version (32 or 64 bit) etc. and prepares the HTTP Get request. Here is screenshot of the Get request header in process:


As we suspected, the binary has a hard-coded host header, which points to, but the actual domain is different. It may come from a dropped encrypted configuration file. The response from server is encrypted as follows:


The binary uses custom Tiny Encryption Algorithm (TEA) to encrypt and decrypt the data. Here the call has been made to decrypt the response from the server:


TEA uses a 128-bit key for its encryption and decryption routine. The binary uses two hard-coded keys: one for decrypting the data comes from the server and the second stores the data in encrypted format, as shown in the preceding image. It is easy to identify the encryption method used based on few constant values found in the algorithm. Here is snapshot of the TEA code:


Once decrypted, the response turns out to be a configuration file containing domain names, as seen below:


The binary stores this information in encrypted format in the file cf, as we saw earlier. The binary then downloads and installs another malicious program from a different server named in the configuration file. Here is the request:


The request to dldc.php sends an encrypted response that contains another executable file.


We won’t go into the details of the downloaded binary. The attacker behind this Trojan collects a lot of information through the Get request, including antimalware or VMware checks. The binary makes detection difficult for automated processes or intrusion detection or prevention systems by using spoofed host header names and custom TEAs for encrypting data. As we have learned, we can’t rely solely on the HTTP header host to judge whether the domain name used in an HTTP header is malicious.

Futuristic bracelet uses heartbeats as a password—but is it secure?


A security startup has unveiled a wearable device that's designed to replace the hassle of passwords by using a person's unique heartbeat signature to log on to computers and unlock car doors. While the device is intriguing, the dearth of key technical details makes it impossible to assess the marketers' promise that it provides "complete security without compromising convenience."

The Nymi is a small bracelet equipped with a sensor that reads the electrocardiogram (ECG) of the person wearing it. Once it has verified that the heart signature belongs to the person who registered it, it provides a means of authentication that can in theory be used to access a virtually endless supply of electronic devices, including airport kiosks, hotel room doors, and sensitive computer networks. It relies on three factors of authentication—that is, two things the user has in the form of the bracelet and a paired mobile device, and one thing the user has in the form of a verified ECG. A slick promotional video shows someone gliding from bed to airports to hotels to cafes, effortlessly logging into devices and unlocking doors without once having to enter a password or procure a key. Sure sounds tempting.

Nymi by Bionym.

Alas, there's not enough information available about the Nymi's inner workings to know if it is truly groundbreaking or another dose of the kind of snake oil that's all too common in the security circuit. Karl Martin, CEO of the Nymi creator Bionym, said the device hasn't yet undergone a formal security audit. That means even he can't say just how impervious it is to the kinds of sophisticated attacks that would inevitably target a universal sign-on gizmo, although he gave some high-level details that are encouraging. That said, there are several classes of hacks that might be used to compromise the security assurances of the device.

Read 10 remaining paragraphs | Comments


G20 Summit Used as Bait to Deliver Backdoor.Darkmoon

Ahead of this week's G20 summit in Saint Petersburg, Russia, attackers are leveraging the meeting's visibility in targeted attacks.

One particular campaign we have identified is targeting multiple groups. They include financial institutions, financial services companies, government organizations, and organizations involved in economic development.


Figure 1. Email purporting to be from G20 Representative

The email purports to be sent on behalf of a G20 representative. The email continues:

Many thanks for circulating these updated building blocks. Please find the UK comments on these attached. I look forward to seeing you in St Petersburg soon.

The ‘building blocks’ mentioned are the theme of multiple documents, which discuss the UK government’s feedback on a series of building blocks to address development, anti-corruption, and employment.


Figure 2. File listing for malicious attachment

Attached to the email is a RAR archive file. The archive contains five files. Of the five files, two of them masquerade as different file types. One of the documents is actually an executable, while the .msg file is a .lnk file, which we have seen used in attacks before. If the victim tries to run the .msg file, it will run both the malicious executable and one of the non-malicious documents. The five files contained in the archive, and their MD5s, are as follows:

File name








UK - Building block_EMPLOYMENT - Aug.docx


UK - Building block_DEVELOPMENT - Aug.docx




Figure 3. Non-malicious document presented to the victim

The victim will be shown a non-malicious document. What is interesting about these documents is that each of them has track changes enabled and contains the reported comments from the UK called out in the original e-mail. At this time, we cannot verify the authenticity of these documents, but from our observation, modifications were made to them earlier this month, which states that they were last modified by a user named “UK Government.”


Figure 4. Author information from the document

The malicious executable that runs in the background is known as Poison Ivy. Symantec detects this executable as Backdoor.Darkmoon.

Backdoor.Darkmoon is a well-known remote access Trojan (RAT) that has been used in various targeted attack campaigns over the years, including The Nitro Attacks which we reported on in 2011.

When executed, this version of Backdoor.Darkmoon will copy itself to %Windir% as winupdsvc.exe. It will then attempt to connect to the following URLs on ports 80, 8080, or 443:

  • [http://]
  • [http://]
  • [http://]

While this particular campaign leverages Darkmoon, we have found other campaigns from the same group using different threats. Last month, we found them using Java remote access tools (jRAT) that we identify as Backdoor.Jeetrat and Backdoor.Opsiness, also known as Frutas RAT.

Security Response is aware of other groups using the G20 Summit as a theme in targeted attacks, which showcases how this particular meeting is ripe for attackers to use as bait.