Waledac Reloaded: Trojan.Rloader.B

Recently, we blogged about systems compromised by W32.Virut that were observed downloading W32.Waledac.D (Kelihos). Symantec has followed the Waledac evolution for a number of years and have observed the botnet showing considerable resilience against take-down efforts conducted in the past. Waledac is traditionally known as a spamming botnet which has been observed to send up to 2000 malicious emails on a daily basis.


Figure 1. W32.Waledac.D spam

In the past two months, we have observed Waledac infection numbers go from strength to strength, with the majority of infections originating in the United States.


Figure 2. Top 10 countries with computers compromised by W32.Waledac.D

Computers compromised with W32.Waledac.D were also distributing additional malware that had initially been detected as Backdoor.Tidserv. However, following our analysis, we have discovered it to be a new variant of Trojan.Rloader, dubbed Trojan.Rloader.B. Similar to its older brother, Trojan.Rloader.B’s main functionality revolves around click-fraud.


Figure 3. Trojan.Rloader.B attack steps

When Trojan.Rloader.B is first executed on the victim’s computer, it ensures that it is running on a physical machine and terminates itself if it is found to be running within a virtual machine. Virtual machines frequently run antivirus software and tools that can be used to analyze the malware. Next, it collects information about the compromised host and sends it back to the command-and-control server to register the compromised computer. At this point, it modifies the Windows host file to redirect a number of popular search engines to a malicious IP address which displays pop-up advertisements embedded within search results.

Trojan.Rloader.B also targets Mozilla Firefox and Internet Explorer Web browsers by modifying their preferences to redirect search requests to http://findgala.com. This is also done to display advertisements on the compromised computer.

During our investigation, we noticed Trojan.Rloader.B dropping a second click-fraud component previously detected as Trojan.Spachanel, which we discussed in a previous blog. When executed, Trojan.Spachanel injects JavaScript to load pop-up advertisements within the compromised browser.


Figure 4. Pop-up advertisement example

Symantec has detections in place for the new Rloader variant as Trojan.Rloader.B. We have updated the detections for Spachanel click-fraud modules as Trojan.Spachanel. Symantec will continue to monitor the activities of the Waledac botnet while ensuring the best possible protection is in place for our customers. To aid in protection against botnet infection, Symantec recommends that you employ the latest Symantec technologies.

New Tidserv Variant Downloads 50 MB Chromium Embedded Framework

Tidserv (a.k.a. TDL) is a complex threat that employs rootkit functionality in an attempt to evade detection. The malware continues to be on the Symantec radar since its discovery back in 2008. The latest variant of Tidserv being distributed in the wild has began to employ the legitimate Chromium Embedded Framework (CEF). While this may not be the first time a malware has made use of a legitimate framework for nefarious purposes, this new Tidserv variant requires the download of the 50 MB framework to function correctly, which is an unusual thing for a threat to do.

The Backdoor.Tidserv variant uses a modular framework that allows it to download new modules and inject them into clean processes. Previous variants of Tidserv had used a serf332 module to perform network operations, such as link clicking and ad popups. It does this using COM (Component Object Model) objects to open Web pages and inspect page content. In the last week we have observed Tidserv downloading a new module called cef32. This new cef32 module has been found to have the same functionality as serf332 but requires cef.dll which is part of the CEF. Unusually, this requires a download of the full 50 MB CEF to the compromised system.

There has been a considerable increase in the download of the CEF over the last 18 days. While we cannot be certain as to how many of these downloads may relate to Tidserv infection activities, if these downloads are a result of the malware the number of computers compromised with Tidserv would be sizeable.

new tidserv 1.jpeg

Figure 1. Chromium Embedded Framework downloads, last 18 days

The CEF provides a Web browser control based on the Google Chromium project. This allows developers to build applications that include Web browser windows. The CEF libraries perform all of the functionality required to run the browser, such as parsing HTML or parsing and executing JavaScript.

new tidserv 2.png

Figure 2. Tidserv JavaScript passed to Chromium Embedded Framework library

Using the CEF allows Tidserv to move a lot of the basic Web browser functionality out of its own modules and into the CEF library. This allows for smaller modules that are easier to update with new functionality. The downside of Tidserv using CEF is that the cef32 module needs the CEF cef.dll Dynamic Link Library in order to load. The URL to the CEF zip file for download is currently hardcoded in the serf332 binary, so any change to this URL will require an update to the serf332 module.

The Chromium Embedded Framework (CEF) and its authors do not condone or promote the use of the CEF framework for illegal or illicit purposes. They will take all actions reasonably within their power to frustrate this use case. For that reason the binary that was being used by the malware product from the Google Code project page has been deleted. Other means of providing free binaries to users that protect, as much as possible, against this or similar abuses will be explored.

Symantec is continuing to track the evolution of threats such as Tidserv. Symantec recommends that you use the latest STAR Malware Protection Technologies to ensure the best possible protections are in place.

W32.Changeup – A Malicious Gift That Keeps On Giving

In mid-2009 W32.Changeup, a polymorphic worm written in Visual Basic, was first discovered on systems around the world. Over the last few years, we have profiled this threat, explained why it spreads, and shown how it was created.

In the last week there has been an increase in the number of W32.Changeup detections. The increase in detections is a result of an updated version of W32.Changeup now circulating in the wild:

Figure. Detections of updated version of W32.Changeup in last seven days

W32.Changeup comes bearing gifts. When a system is compromised, W32.Changeup may install additional malware. The threats can vary from Backdoor.Tidserv to Trojan.FakeAV as well as Backdoor.Trojan and Downloader Trojan. And the Downloader Trojan will download even more malware onto the compromised computer.

The worm copies itself to removable and mapped drives by taking advantage of the AutoRun feature in Windows. The latest version of the worm also copies itself to the following locations:

  • %UserProfile%\Passwords.exe
  • %UserProfile%\Secret.exe
  • %UserProfile%\Porn.exe
  • %UserProfile%\Sexy.exe

Security Response strongly recommends steps be taken to prevent worms from leveraging this feature. We have the following protections in place for the latest version of W32.Changeup:


Intrusion Prevention System

System Infected: W32.Changeup Worm Activity

We also have identified the servers the latest version of the worm attempts to contact after compromising a computer:


  • ns1.helpupdater.net
  • ns1.helpchecks.net
  • ns1.helpupdates.com
  • ns1.helpupdates.net
  • ns1.couchness.com
  • ns1.chopbell.net
  • ns1.chopbell.com
  • ns1.helpupdated.net
  • ns1.helpupdated.org
  • ns1.helpupdatek.at
  • ns1.helpupdatek.eu
  • ns1.helpupdatek.tw
  • existing.suroot.com
  • 22231.dtdns.net

Security Response will continue to monitor W32.Changeup and provide protections against variations and accompanying malware.

Are MBR Infections Back in Fashion? (Infographic)

A Master Boot Record (MBR) is an area of the hard disk (usually the first sector) used by a computer to perform start up operations. It is one of the first things to be read and executed by the computer hardware when a computer is powered on, even before the operating system itself. As far as trying to get access to the hardware first, you can’t really beat the MBR for that, with the exception of hardware ROM (BIOS) itself.

MBR infections offer great scope for deep infection and control of computers, which makes the idea attractive to malware creators. Contemporary MBR infection methods are a fairly complex affair and are not an undertaking that can be performed by many malware creators except for more highly skilled individuals. This is probably one reason why after the creators of Trojan.Mebroot rediscovered the lost art of MBR infection, back in 2007 (based on work done by Soeder and Permeh of eEye Digital Security in 2005 on BootRoot), not too many other malware creators have followed in their wake. Mebroot was a significant piece of malware. It not only infected the MBR of the computer but also implemented direct disk access to write its own code into unused sectors of the hard disk and therefore place itself into an area that the host operating system isn’t even aware of. This type of low-level infection, coupled with a sophisticated rookit, makes it difficult to detect and get rid of Mebroot from an infected computer. The way to defeat it is to try and get access to the hardware by avoiding the malware hooks or before the malicious MBR gets to execute.

While MBR infection has been a mainstay of Mebroot since the start, another gang who were responsible for the highly sophisticated threat Backdoor.Tidserv (originally infected system driver files) decided that they too will have a piece of the MBR action. They jumped on board the MBR bandwagon back in the summer of 2010 with Backdoor.Tidserv.L and subsequent versions have been using this method since. Aside from Mebroot and Tidserv, there has been few other threats between 2008 to 2010 using the MBR infection technique, Trojan.Mebratix and Trojan.Bootlock being the only examples. It looked like MBR infections were going nowhere fast.

Fast forward to now, the picture for MBR malware has changed considerably. So far in 2011, we have seen as Backdoor.Tidserv.M, Trojan.Smitnyl, Trojan.Fispboot, Trojan.Alworo, and Trojan.Cidox. This represents as many new MBR or boot time malware threats as there had been in all the previous three years. This statistic points to a possible trend towards increasing use of boot time infection (particularly the use of the MBR) as a way to infect computers. We should also note that much of the hard graft to build this type of malware has already been done by researchers and early adopters. When researchers released details for BootRoot and VBootkit, malware authors literally took the research and proof of concept code and simply adapted them for their own needs. From our observations, we can tell that a number of MBR infecting malware families currently in circulation borrowed heavily from the BootRoot PoC. The arrival of short lived ransomware type threats lend weight to the idea, because this type of malware can be considered as throw away code. Ransomware is made for a single purpose and are not expected to provide a long length of service so the people who make them don’t want to spend too much time and effort in creating and hiding them on the computer. This is in sharp contrast to the more advanced examples of back door Trojans for whom the creators are trying to build a lasting and useful network of computers for profit. These are signs that the barrier to entry for this type of malware has been lowered. At this time, all the recent boot time malwares target the MBR with the exception of Trojan.Cidox which takes a slightly different approach. Instead of targeting the MBR, it infects the Initial Program Loader to achieve a similar overall effect, this is an innovation on the current MBR infection techniques.

As with any malware infections, the key is to not get infected in the first place. Symantec has been quick to add detection for such malware whenever they are discovered (so keep your detections up-to-date) and we also offer various tools that can help to remove them. For MBR infecting threats, a simple way to disable the malware is to boot up with a bootable CD and then run “fixmbr” which will restore the MBR to a default setting. This will stop the MBR based malware from executing. For other more tricky threats you can try tools such as the Norton Boot Recovery Tool.

From a historical point of view, infecting the MBR is not a new technique per se, many of the old boot sector viruses from over a decade ago did something similar. The difference is, modern MBR malware do so much more than just infecting the MBR.

They say that fashion comes in cycles, is MBR malware making a comeback in 2011? It certainly looks that way. The following infographic summarizes these threats and what they do. (A big thanks to Stephen Doherty and Piotr Krysiuk for their input.)

Download PDF