TDSS Trojan spreading through social networks

Users have reported to us another case of a massive blackhat SEO strategy used to redirect traffic to infected websites with the objective to infect users with the popular and very dangerous TDSS Trojan.

Blackhat SEO strategy targeted most popular video streaming websites such as youtube, metacafe, etc. and the malicious files that are served to the users are not detected from most on-demand Antivirus scanners. We have noticed also that the malicious file is updated with a new malicious (and undetected) file every x days, or in some cases every x hours.

After a specific search using google.com of the malicious domains, we can see that if we search for links of the malicious websites on popular video streaming websites we have following numbers of pages:

From the images above we can see the total links found on Google, related to Youtube and Metacafe only, are approximately 19,611 and we assume that the infected users overall can be approximately more than 50,000.

All the malicious links are contained in the description of the videos, but in some cases, we have noticed that they are also contained in the videos. In some videos its also described how to use specific (infected) applications, and that the user needs for example, to run the executable “Run as Administrator”, or that the file is completely clean from viruses (false), or that it needs to be allowed in the firewall to work properly (false) etc.

Using this kind of social enginnering, the malicious files can be completely installed in the system and can take full control of the computer very easily (especially if executed as Administrator or if added in the exclusion list of the local Antivirus/Firewall as described above).

In brief, it is like exploiting the human mind, telling users what they need to do and using this technique, if successful, can bypass every kind of security.

From the links present in the video streaming websites, we can see the targeted tags in the title of the fake videos are mostly related to the new Windows 7 and videogames:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Windows 7 Keygen for 32 and 64 bit
Windows 7 Keygen for all Versions
How to: Get Windows 7 Ultimate for FREE.
How to Install and Activate Windows 7
Windows 7 Professional Keygen - 100% Working
Win7 Build 7264 & 7600 activation crack
Lockerz hack glitch
Windows 7 Professional Keygen - 100% Working
learn how to hack...very easy
Ultimate Psptube 2.0- Youtube on PSP Tutorial 5.00m33
Lockerz hack glitch
PSP Brick Recovery - low quality tutorial
FREE itunes Code Generator helps a lot!!
Habbo Hack - Credit Hack V1 - For Austraila - US
Xbox Live Generator- by CodeMaker400
how to Hack a Credit Card Number , VISA 2010

The infected websites that host the malicious files are the following:

1
2
3
4
5
6
7
8
9
hxxp://fileaddiction.com/ -> 213.5.64.20 (eu5.altushost.com)
hxxp://freedatatransfer.com/ -> 213.5.64.20 (eu5.altushost.com)
hxxp://qualityupload.com/ -> 213.5.64.20 (eu5.altushost.com)
hxxp://safehostingsolutions.com/ -> 213.5.64.20 (eu5.altushost.com)
hxxp://chronicdownload.com/ -> 213.5.64.20 (eu5.altushost.com)
hxxp://planetfileshare.com/ -> 213.5.64.20 (eu5.altushost.com)
hxxp://freedownloadthanks.com/ -> 213.5.64.20 (eu5.altushost.com)
hxxp://safetransferonline.com/ -> 213.5.64.20 (eu5.altushost.com)
hxxp://thefilebarn.co.cc/ -> 93.174.93.130 (hosting1.nl.santrex.net)

Note that all the users that click in the malicious links present in the description of the false videos are all redirected to the same page, download.html, that contains the false virus scan report and the download of the infected file.

Another method used by blackhat SEO, is to display to the user a fake virus scan report of the malicious file that show the file is completely clean and safe. When really, the file is infected.

In particular, the malicious websites have displayed a scan report, that has a similar look of our multi-engine antivirus scanner report, and users are also redirected to our website using following GET query:

1
GET /initial

After checking our web server logs, we have counted more than 9000 unique IP addresses that have requested the GET /initial page, and they could all be infected users:

root@server$ cat access.log | grep initial | awk ‘{print $1}’ | sort | uniq | wc -l
root@server$ 9563
root@server$

The malicious file installs on the victim’s computer also a rogue security software named MS Antivirus (msa.exe) and a trojan that, from the traffic it generated, looks like to be an automatic ad clicker.

When the malicious file named UAV Generator.exe is executed, it creates the following files:

1
2
3
4
5
6
7
8
9
%User%\Local Settings\Temp\a.dat
%User%\Local Settings\Temp\a.exe
%User%\Local Settings\Temp\b.exe
%User%\Local Settings\Temp\c.exe
%User%\Local Settings\Temp\sshnas.dll
C:\WINDOWS\msa.exe
C:\WINDOWS\System32\sshnas.dll
%User%\Local Settings\Temp\c.exe
C:\WINDOWS\msa.exe

The file creates the following registry entries:

1
2
3
4
5
6
7
8
9
10
HKLM\SYSTEM\ControlSet001\Services\SSHNAS\Parameters\ServiceDll:
C:\WINDOWS\System32\sshnas.dll
HKLM\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters\ServiceDll:
C:\WINDOWS\System32\sshnas.dll
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\NeoChronos:
%User%\Local Settings\Temp\c.exe
HKCU\Software\Astrocom
HKCU\Software\NeoChronos
HKCU\Software\XML
HKCU\Software\Microsoft\Handle

The file generates the following Internet traffic:

1
2
3
4
5
6
7
hxxp://t.invitemedia.com/track_imp?partnerID=77&campID=6242&crID=9715pubICode=519731
hxxp://myf2you.com/resolution.php
hxxp://thezasite.com/borders.php
hxxp://content.yieldmanager.com
hxxp://fgage.com/ad_type.php
hxxp://ad.scanmedios.com/st?ad_type=iframe&ad_size=300x250&section=216796
hxxp://ad.harrenmedianetwork.com/st?ad_type=iframe&ad_size=120x600&section=502887

The other infected files were detected by some Antiviruses as Mal/TDSSPack-U (Sophos) and Trojan.Win32.Alureon (Ikarus) that probably connects to a C&C Server and are used to install the famous ZeUs Trojan to steal credit card, bank accounts and other personal info from the victim’s computer.

As always, we highly recommend to NOT download and execute unknown executables, do not trust what you see in unknown websites, always double check the files before run them in your system and do same with the website address you do not know. Another recommendation is do not download files that contain keywords such as “crack”, “keygen”, “patch”, “cracked”, “100% working” as in 99,9% of cases contain stealth malware and/or rootkits of the TDSS family.

Remember, its always safer to buy software if you like it.

Random Posts

Previous Posts