If you are a frequent reader of this blog, it is not news to you that malware authors are moving away from a quest for fame toward profit driven operations. Malware authors and controllers are moving to a free market organization where each group has a very precise area of expertise and "outsource" other tasks to other groups.

An example of this business structure are the malware affiliation programs that seem to gainin popularity. Some malware gangs have removed infections from their malicious operations and now rely on other groups to install their creations on victim computers. A typical scenario goes as follow:

  • A number of websites get defaced using various types of attack vector to include an iFrame. This iFrame then injects malicious code in visitors Internet browser.
  • The malicious code installs a basic trojan on the victim system. The only functionality of this trojan is to download and execute additional components, usually from affiliated gangs.
  • The controllers of the malware that gets installed on the victims’ computer pay the attackers that defaced the websites in compensation for the installations.

We came across such a site with tens of different malicious samples this week. In this case, the malicious code tries to exploit five different vulnerabilities present in Internet Explorer or its ActiveX components. The first stage downloader sits on the infected computer for a couple of seconds before downloading and installing nine different malware including adware, worms, and viruses. This attack is far from being subtle; an infected computer becomes almost unusable within minutes after infection since the malicious programs eats up all the system’s resources. The malicious server is presently hosted in Russia and is still serving malware. The following malware have been detected on the server:

  • Win32/BHO.NCI trojan
  • Win32/TrojanProxy.Agent.NDW
  • Win32/Nulprot trojan
  • Win32/Statik application
  • a variant of Win32/TrojanDownloader.Small.IAW trojan
  • Win32/Adware.Virtumonde application
  • Win32/TrojanClicker.Agent.NDEtrojan
  • probably a variant of Win32/Nuwar worm
  • Win32/TrojanDownloader.Small.AWA trojan

As usual, our recommendations to users are to update any installed software, including ActiveX components. For webmasters, we strongly recommend monitoring web pages to quickly identify malicious content for removal and thus protect your visitors.

Pierre-Marc Bureau