Trojan Piggybacks on Anti-Phishing Tool
There have been hints over the past few months that malware authors collaborate on code just like legitimate application developers. First, there was the merged code between Zeus and SpyEye. Then researchers found three major botnets that seemed to be taking on each other's characteristics to spread Trojans and spam.
What's unexpected, are signs the creators of malicious software are using actual components from legitimate applications in their code.
A Trojan redistributing the execulate and a DLL (dynamic link libraries) file from WebShield, an anti-phishing tool, was found by Symantec researchers. WebShield is part of the Kingsoft Internet Security package from China-based Zhuhai Kingsoft Software.
Since the Trojan is just piggy-backing onto the computer using WebShield, it is hard to detect. The files being used by the Trojan are digitally signed and WebShield continues to access the file and work as it was designed.
It "could make it difficult for users to realize they are running a malicious program," Paul Jensen, a Symantec researcher, wrote on Symantec's Connect blog.
WebShield locks the browser home page to a specific domain and redirect text format URLs. Instead of writing code to handle the redirecting, the malware authors use WebShield to do the same thing. Instead of directing Internet Explorer users to safe domains, the Trojan redirects them to "advertisement link farms" controlled by cyber-criminals, Jensen wrote.
Upon installation, the application creates two files, kws.ini and spitesp.dat, to control the home page and list of domains to redirect. When packaging the Trojan with Webshield, the developers tweaked the first file to list malicious domains, and the second file to list some of the most popular sites in China. When users running the compromised WebShield attempts to access one of the popular sites, they are automatically redirected to one of the malicious links, Jensen wrote.
The Trojan also deletes all Quick Launch icons except IE, since that's the only browser this specific exploit works on.
Since the package installs itself as an automatic service and there is no uninstaller executable provided, removal can be "quite challenging," Jensen said.