Since the start of this past September, mydaily tasks have included investigating Trojan.Farfli, which is updatedfrequently. On the dark side of things, the author of the Trojan hasdaily tasks that are closely related to mine: updating Trojan.Farfli.We have seen Trojan.Farfli updated three times a day on average andsometimes as much as seven times a day, and the total number ofvariants has reached more than 300 since July. In comparison, Trojansdiscovered around the same time have far fewer variants. For example,Trojan.Hachilem and Trojan.Srizbi have only 150 variants and 40variants, respectively. Precisely speaking, because there are filesdropped by this Trojan that are polymorphic there are hundred andhundred variants of this Trojan.
Why does the author update the threat so often? Well, we don’t knowexactly what the motive is, but the most likely reason is for monetarypurposes. An infected computer will access predefined Web sites withthe author’s affiliate ID, providing extra hits on his or her affiliatetracker. Obviously such a program that uses computer resources withoutusers’ consent is defined as an illegal program by most antivirusvendors. The author also adds meaningless data to the Trojan variantsin the hope of avoiding detection. The junk codes are widely varied andthe followings are some of the examples:
• Addition of meaningless junk data
• Calling API that has no use e.g. “They love Sleep() so much!”
• Changing hierarchy of the calling structure
• Addition of inline assembler code that has no use
• Unnecessary use of local variants
In the below screenshots we are comparing the Trojan’s code with andwithout junk code, using IDA Pro Disassembler. In figure 1, anythingother than the code inside the red rectangle is junk code:
Figure 1. With junk code.
Figure 2. Without junk code.
Adding junk code will create some side effects. As the below tableindicates, the Trojan’s file size increased by 20% and its elapsed timeis almost twice as much as the original variant. Even more significant,process time increased more than tenfold. Having increased resources inthis manner (without any improved feature) is unthinkable in regularprograms. In today’s faster and advanced computers and larger networkbandwidth, we imagine that the author does not mind it at all.
| Date | File size | Elapsed time | Process time |
2007/07/28 | 95.5kB | 15.5s | 0.01s |
2007/10/12 | 120kB | 29.8s | 0.13s |
Searching the author’s affiliate ID on the search engine will resultis many hits. What this means is that searches are conducted by a lotof infected computers and access logs are left behind. We have no wayto know how much money the author makes off of the affiliate, but wecan guess that it’s pretty substantial.
Symantec has seen many samples of this Trojan and regularly monitorsdownload sites for this threat. We expect to see more variants formonths to come as their purpose will be to make as much money aspossible. Security Response will continue researching the threat toprotect our customers.