Trojan.Dozer - Kicking You While Your Website is Down

We've been spending most of the past week pulling apart Trojan.Dozer in order to get a full understanding of what its purpose is. Its most publicized feature is the DDOS attacks it performs against a number of sites. But after some further research we've found some other sinister features in the form of an old school time bomb.

First of all, the trojan will check if system time is after July 10th 2009 00:00:00. If it's after this time then the threat will begin its real mischief. It first searches files with the following extensions:

.accdb
.alz
.asp
.aspx
.c
.cpp
.cpp
.db
.dbf
.doc
.docm
.docx
.eml
.gho
.gul
.hna
.hwp
.java
.jsp
.kwp
.mdb
.pas
.pdf
.php
.ppt
.pptx
.pst
.rar
.rtf
.txt
.wpd
.wpx
.wri
.xls
.xlsx
.xml
.zip

For files which are less than 5MB, it overwrites the data in the file with all zeroes. For files which are greater than 5MB, only the first 5MB is overwritten. This corrupts the files but maintains the file size so affected users may not be aware of a problem until they attempt to open any files. If the file is less than 5MB, it will also take the overwritten file and place it into an archive using the original name and a .gz extension. For example a file called "work.doc" will be in an archive called "work.doc.gz". These archives are also password protected with a random password, possibly to trick the user into thinking they are infected with some form of ransomware. And finally, to add to the user's woes, it will also overwrite the MBR and delete some other critical boot information, meaning that the computer will no longer be able to boot.

In another old school twist, a message is placed in the overwritten MBR data:

So, what does this tell us? For us researchers this threat is very much a hark back to the old. The vast majority of threats out there today are used for "commercial" purposes - stealing personal data, distributing rogue anti-virus, propagating spam etc. If you're running a botnet, you don't want to render your hosts useless. You want to keep them up and running for as long as possible. For Trojan.Dozer, the purpose appears to be mischief and/or notoriety which was the prime motivator of the malware authors in the past.

So, are you likely to be affected? If you're still reading, then most likely no! We know that infection levels of this threat are low and have dwindled away over the last few days. Also, we've now passed midnight on July 10th in most countries and haven't yet heard reports of affected users. Protection has been out there for a number of days now so most users should have had the time to clean up any infections.

If you have been affected, then unfortunately recovery solutions are limited. Any overwritten data is not recoverable and the method used to corrupt the MBR means that it cannot be fixed using tools such as "FixMBR". The only possible solution for recovering data is to connect your HDD to another computer (which is running up to date Antivirus) and copy over any potentially uncorrupted files.

Thanks to Mario Ballano and Mircea Ciubotariu for their analysis.