Thursday, July 9, 2009

Trojan-Downloader.Win32.FraudLoad

Trojan-Downloader.Win32.FraudLoad (exe-site.com/streamviewer.#.exe) is an "old" infection but I read many times as it is new. It looks new because of the bad AV detections, and because of some tips used by creators.

- The DNS is changing quickly (aroud every 24 hours):
exe-profile.com
load-exe-soft.com
exe-xxx-file.com
exe-box.com
exe-box.com
let-exe-2009.com
exe-4free.com
...
Filenames are composed like necessary software to watch streaming videos: streamviewer.#.exe, flashplayer.v10.#.exe, TubeViewer.ver.6.#.exe (where # is a number of 4/5 caracters).

- File used to be an UPX packed infection and was easy to detect. For some weeks, it is using a stub to bypass Antivirus detection. File is still UPX packed but creators add the stub to cypher it (stub -> UPX -> infection code). The stub code is also quickly modified. This is why a lot of AV are late to detect it.

- At the end of the file there is 8 bytes:
4 bytes for a key (again, quickly modified),
4 bytes for the affiliate ID.
Last 4 bytes is an XOR operation based on # numbers in the filename/webpage and the 4 bytes key. The same file downloaded from a different affiliate website has a different hash...

- Downloaded files used to be executables hidden behind a picture filename. They are now real GIF pictures but the size is too heavy for simple pictures. The infection is cyphered behind the picture data (remember tibs infection ? Where tibs was using a simple XOR encryption routine, this trojan-downloader uses a more sophisticated rout.). Extracted executables are using the same Trojan-Downloader stub method to cypher their code.