On Monday, March 29, 2010, bkis.com published a blog describing malware that masqueraded as the Adobe Reader update program. This tactic is an attempt to run a malicious payload while avoiding detection. As we looked into this sample (detected as Trojan.Dosvine) in more detail, it became clear that this threat is involved in a DDoS (Distributed Denial of Service) attack on the Vietnamese online community. In a related article, Google reported that “compromised keyboard language software and possibly other legitimate software” is being used to infect Vietnamese Windows computers.
Initial reports on this attack have compared this to the Trojan.Hydraq/Aurora incident from earlier this year. For those not familiar with the Hydraq incident, everything you need to know can be found in our blog series on the subject. The comparison is not entirely accurate since the motive behind the Hydraq incident was industrial espionage. In contrast, the motive behind Trojan.Dosvine is to prevent access to strategic Vietnamese websites.
A better comparison to this threat is Trojan.Dozer. This threat attempted to perform a DDoS attack against a number of strategic sites in Korea, for example:
* www.president.go.kr
* www.mnd.go.kr
* www.mofat.go.kr
* www.assembly.go.kr
Dozer first surfaced on the July 8, 2009. Trojan.Dozer attacked strategic Korean sites. This time the targets are Vietnamese websites. The common theme is regional political motivation.
Hijacking the update mechanism is an interesting technique, but what’s more interesting is that this technique is being used in this attack. Our telemetry shows that Vietnamese websites are the targets in this attack, which can be seen in the below map. It also shows that outside of Vietnam there seems to be a correlation to the relative sizes of the Vietnamese communities in those countries:
Technical details
The first thing Trojan.Dosvine does is download an update. It gets the information for the update from [http://]www.update-adobe.com/info.xml. Here is an example of this .xml file:
<live lastBuilt="2010-02-23 23:41:00" lFile="adobe-update.exe">
<default groups="" file="http://www.update-adobe.com/updater.html"/>
<special groups="thongtinberlin|THTNDC|TCPT|talawas|danchimviet|THONGLUAN|DVD|FREELANCER|Hackers|BLOGS|VIETTAN|GhostSurf|UGs|DDCVN|doi-thoai|X-Cafe|bauxitevn|blogosin|GameMasters|" file="http://www.update-adobe.com/supdater.html"/>
</live>
The threat then downloaded the following file at the time of analysis:
dad70ac28fc90b80fe0921e8073db151 *supdater.exe
This appears to be the installer for the threat which drops the following files:
• dad70ac28fc90b80fe0921e8073db151 Copy of the threat
• New Folder - C:/Program Files/Adobe/Reader 9.0/
• New Folder - C:/Program Files/Adobe/Reader 9.0/Reader/
• e3cf360516ebc0655df949d65871b09a C:/Program Files/Adobe/Reader 9.0/Reader/AdobeUpdater.exe
• eb4eca9943da94e09d22134ea20dc602 C:/Program Files/Adobe/Reader 9.0/Reader/zf32.dll
• b6062946df8e791e6f644754df138266 C:/Program Files/Common Files/System/TableTextService.exe
• 71872ea8cff3439d1b8b645a5c6da870 C:/Program Files/WindowsUpdate/wuauserv.exe
• eb4eca9943da94e09d22134ea20dc602 C:/Program Files/WindowsUpdate/zf32.dll
• e3cf360516ebc0655df949d65871b09a C:/WINDOWS/system32/Setup/AdobeUpdater.exe
• b6062946df8e791e6f644754df138266 C:/WINDOWS/system32/Setup/TableTextService.exe
• 71872ea8cff3439d1b8b645a5c6da870 C:/WINDOWS/system32/Setup/wuauserv.exe
• eb4eca9943da94e09d22134ea20dc602 C:/WINDOWS/system32/Setup/zf32.dll
• 1472546e7e47c30c5eb54fe0a1d244ab C:/WINDOWS/system32/mscommon.inf
• c2dfd88074321d3a0df6f998b85534a3 C:/WINDOWS/system32/msconfig32.sys
• eb4eca9943da94e09d22134ea20dc602 C:/WINDOWS/system32/zf32.dll
Network Activity
The following URLs should be blocked at the network boundary:
• voanews.ath.cx
• ymail.ath.cx
• tyuqwer.dyndns.org
• adobe.ath.cx
• update-adobe.com
• google.homeunix.com
• blogspot.blogsite.org
Protection
Symantec customers should ensure that their definitions are up to date. As mentioned previously, files related to this threat are now detected as Trojan.Dosvine. This threat was originally detected by our heuristic engine as Bloodhound.Sonar.9 and Bloodhound.Sonar.7 offering proactive protection to our customers against this threat. Specific detections were added on February 11, 2010, as Backdoor.Trojan. As always, customers should follow best practices and ensure their antivirus products are up to date. This is the latest example of a threat used for political purposes, which seems to be an increasing trend.
=========================
Note: Thanks to Mario Ballano Barcena for his analysis of this threat, and also to Ben Nahorney and Paul Mangan for their assistance.