A Census-Taking Trojan?

We recently came across a new threat that is distributed through various adult websites. The Trojan masquerades as a codec that is required to view a video, and when downloaded and executed, displays a fake installer:

The Trojan also creates and executes a dropper executable, which in turn creates a DLL file in the %System% folder. The dropper executable then deletes itself.

The main body of the dropped DLL is encrypted, and to make analysis more difficult, the decryption key itself is encrypted using a value that is unique to the compromised computer. This is not a new idea; we’ve seen this technique used before, for example in the infamous Backdoor.Rustock variants. In this case, the unique value is 16 bytes in length and is generated from the creation times of the System and System Volume Information folders. This unique value is used to encrypt the main DLL decryption key, which is then embedded in the DLL file. The body of the Trojan now cannot easily be decrypted and/or analyzed on another computer.

When the main DLL is executed, it retrieves the creation times of the System and System Volume Information folders to generate the unique value; the same operation as when the Trojan was installed. It then uses the unique value to decrypt the main decryption key, which is subsequently used to decrypt and execute the body of the Trojan.

The Trojan attempts to gather a significant amount of information from the compromised computer, including:

• OS version and language
• Whether the Trojan is running on a Windows Terminal Server session
• Whether the Trojan is running on a virtual machine (e.g. VMWare, VirtualBox, VirtualPC, Hyper-V, Xen and Wine)
• Whether the Trojan is running in a SandBox (e.g. JoeBox, CWSandbox, Anubis and Sandboxie)
• Whether certain system and security tools are running (e.g. Wireshark, sniff_hit, sysAnalyzer, Filemon, ProcessExplorer, Processmon, Regmon and Autoruns)

It also, however, gathers the following information, which we don’t usually see threats going after:

• DNS query results for certain domains
• Values of segment registers
• Values of local descriptor table registers
• Values of task registers
• Values of global descriptor table registers
• Values of interrupt descriptor table registers

The Trojan encrypts the gathered information and sends it to a remote attacker encoded in the filename of an HTTP GET request. An example of such a request is as follows:

The ‘requested’ file sent back by the server also doesn’t look like a Flash file, and turns out to be encrypted malicious code:

It looks like the author of the Trojan is attempting to create some sort of inventory of environment information stolen from compromised computers, possibly with a view to using this information to better understand the environments of their targets and deliver malicious code that is focused on specific system characteristics. The attackers are also likely to be able to mine the results for evidence of computers being used as honeypots by researchers.

Symantec Antivirus products detect the threat as Trojan.Milicenso, and heuristically as Packed.Generic.305. As ever, we urge users to keep their virus definitions up to date and to avoid running any executables unless they are verified to be trustworthy.