Trojans-Downloaders - this program, whose purpose is to download files via the Internet and launch the latest on the victim machine without the user knowing. Typically, these files be thought of a variety of forms of malicious programs, such as, for example, Backdoors (programs that allow an attacker to control the infected machine via the Internet), PSW-Trojans (programs that fish out of the system login, user and network passwords, and then send such data to hackers), etc.
In this description, we'll discuss one of the representatives of the Trojans - the program " DYFUCA ", a family which has literally flooded the internet resources. It should say that about 40-50% of new versions of this Trojan, which I occasionally caught while working on the Internet at the time of their discovery, or even strangers, antivirus companies and, of course, do not show anti-virus, or only know some of those numbers.
Modifications " DYFUCA ", unlike other class Trojans Trojans-Downloaders , living solely on porn and hacking sites of "Underground", and came across to me on certain pages of popular sites like MAIL.RU, RAMBLER.RU, on the pages of major sites Russian and foreign literature, as well as on some large sites with software builds, software innovations. In this family of Trojans " DYFUCA "use a number of tricks to trusting the user has set them on your computer. The danger past is that when using the Internet they are constantly looking at the code contained in their links and is set on the infected computers different malicious programs, as well as new versions of its own components, which may contain additional links to other trojans or viruses.
In order to infect computers running the Internet, the Trojan uses the challenge of its program through cross-references in the code of some pages on the sites developed by private entities. As for the porn and hacking sites, of course, is done intentionally. That is, when you call any page containing the link in your own code on a remote computer with the program a Trojan, there is a request to this page, and the call to download the program a Trojan " DYFUCA ".
Trojan can get in the car, using a of the following ways: 1. If you have a Web-browser, security settings, which allow the system to perform without asking for launching the so-called objects "ActiveX" - script-based applications, offering download / install the software without the need to resolve this action by the user (must admit that most users use it in an unprotected mode, allowing to carry out such a thing), then the script caused the above link, download, and installs Trojan software hidden in a car without any warning at all and the user may not know about the introduction of a system uninvited guest. 2. If you have a Web-browser security settings that are configured properly, and if, among other things, the software has place called"FireWall" - program-protektor against hackers, network worms, as well as unauthorized covert program calls a remote script can not install a Trojan in the car. In this case, if the contamination on the 1 st method fails, the remote script simulates a message on behalf of any company - for example, " Integrated Search Technologies ", with a proposal to establish a" useful "software - for example," a program to search for crack and serial numbers of the various software products , "and what the appropriate message:
If the user clicks the option " No "(" No "), then appears with the message icon, etc.
In the text which the user is advised to continue to be more "prudent" and click the option " Yes "(" Yes ") on the 1st icon - ostensibly to be able to call and view the" license agreement "regarding the installation of the proposed program software. Now the user simply needs to click the option " OK ", close to intrusive icon with the message.
If on the 1st icon, the user clicks the option " Yes "(which makes almost all users, apparently without realizing what was going on, or just afraid that when you click the option " No , "the computer will complete" Amen "), the system receives a signal from a remote computer to download and install the program in the car, demanded by the user, as is usually the case when the injection is made or a network installation on a machine directly from the server company manufacturer. The difference in our situation, only that when loaded into a car with no indicators Trojan protsentazhem download or final reports on completion of loading does not appear, because process is secretive.
Trojan software package is copied in the form of CAB-archive into a subdirectory of a hidden system folder Temporary Internet Files: Windows for 9X/ME: WINDOWS \ Temporary Internet Files \ Content.IE5 \ ... \ *. cab for Windows 2K/2K Server / XP: Documents and Settings \% user% \ Local Settings \ Temporary Internet Files \ Content.IE5 \ ... \ *. cab , where% user% - the current user name. Unpack the archive based on the standard scheme, hidden system subdirectory WINDOWS \ Downloaded Program Files \ Microsoft-using utilities EXTRACT.EXE, which always has a place among the other components of Windows-systems. The structure of the archive includes two files: UniDist.inf - file-driver ( size 515 bytes ) containing the service data used by when registering a Trojan in the system, as well as certain other information; UniDist.ocx - Trojan installation package, which depends on the version of the Trojan (among about 36 kb ). Further unpacking the package and OCX-Trojan code is loaded into memory machine. In the process of unpacking and installing the package contents into the Windows version is checked and, if the machine is installed Windows NT versions 3.50, 3.51 or 4.0, the Trojan performs the call to download the link http://activex.microsoft.com/controls/vc/ mfc42.cab , spelled out in the body of the INF-file. The specified file is located on the server of the company "Microsoft" and is an archive called MFC42.CAB , containing a self-extracting archive called mfc42.exe andsize 667 360 bytes . This archive contains the original update of some components of Windows NT versions of the above. In the update are 7 files that are replaced outdated system components responsible for the processing of data with objects ActiveX; obviously some additional features added to the updated components engineers "Microsoft", the Trojan uses to further the implementation of their manipulation via the Internet .
Trojan is a resident program, written in Microsoft Visual C + + and workable under all existing today on Windows. The program consists of two identical component - stmtdlr.exe and optimize.exe , the size of each of which is approximately 65 kb (depending on the version of the Trojan, the size can be significantly reduced in the event that files are compressed Trojan compression utilities - usually these are "UPX" or "PECompact").
Component stmtdlr.exe always set to the same subdirectory Program Files \ Dialers \ stmtdlr.execomponent optimize.exe installed in a subdirectory whose name is randomly selected from the following options: Program Files \ Media Manager \ optimize.exe Program Files \ Software Installer \ optimize.exe Program Files \ Active Alert \ optimize.exe Program Files \ Internet Optimizer \ optimize.exe Earlier versions of the Trojan may also be prescribed under the name of actalert.exesubdirectory in Program Files \ DyFuCA \ actalert.exe This Trojan creates the following registry keys (listed for new versions of the Trojan):
[HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Run]
"DyFuCA" = "" C: \ \ Program Files \ \ *** \ \ optimize.exe ""
Fci: DyFuCA
[HKEY_LOCAL_MACHINE \ Software \ Fci]
[HKEY_LOCAL_MACHINE \ Software \ FCi \ DyFuCA]
"TAC" = "Yes"
"INIT" = "ActiveX"
Files \ \ *** \ \ optimize.exe "
"DisplayName "="***"
"UninstallString" = "\" C: \ \ Program Files \ \ *** \ \ optimize.exe \ "/ u"
[HKEY_CURRENT_USER \ Software \ Avenue Media]
[HKEY_LOCAL_MACHINE \ Software \ Avenue Media \ ***]
"CLS" = "wsi9"
"RID" = "r01"
"Version "="....."
, where instead of the symbols "***" indicates the name of the subdirectory in which a component is installedoptimize.exe , but instead "....." ( Key 7 ) - version number of the Trojan. Key 1 is used by the Trojan for a startup at every system startup; Keys 1 ... 4 are used for proprietary processors ActiveX-objects when performing procedures Trojan download malware to your computer via the Internet. Key 5 used in prescribing a Trojan in the system to " Add or Remove Programs "under the guise of an application system (the name that the Trojan registers the list of installed programs that correspond to the directory name in which the component is installed optimize.exe ). 6.7 Keys are used only during the Trojan Search your own updates on the Internet and contain proprietary information. The name " Dyfuca "Trojan got a few lines of text with an appropriate word, contained in its code. To conceal its presence in the system, the Trojan as a resident component uses a file stmtdlr.exe , which is loaded into memory component optimize.exe at startup, after which the process of " optimize.exe "closes itself. Thus, the component optimize.exe masquerades as a harmless application of the system (who would think that a malicious program could be registered in the list of installed programs), and component stmtdlr.exe , being in a subdirectory called exotic " Dialers "(" dialer ") is likely to be perceived by most users as a system application that helps you to connect to the Internet.
When you connect to the Internet the Trojan opens 53rd port (system boot files) TCP / IP protocol if it (the port) is not busy any other program, and trying to find a server, domains, which contain snippets of text from the list below (which is in this not detect any of these servers, the Trojan attempts to send requests to it, and if the server has accepted them and said that the Trojan opens access to some kind of boot page on which the latest downloads on the infected computer and then executes etc. . malware. Just to say exactly what the program uploads the Trojan on the affected machine to them - is difficult, since the specific references to the code, you see, does not contain, as an intermediate server, so download these files for later study them without "help" the Trojan is not possible. As for infected machines, which have been found of the family "DYFUCA ", in addition to them there had to have a whole bunch of different representatives of different classes of malware and determine which ones are the credit is" DYFUCA "are not possible.
In addition to downloading other malware, Trojan searches on the internet version of its new program, referring to a server on the page ... http://www.internet-optimizer.com/ (reference was written in part for security reasons, and that in fact certainly among the readers there eksperementatory feel "live" virus). Time periods through which the Trojan must begin to look for updates, it reads from the variable " wsi9 ", focusing on the system at this date. The value of this variable indicated in the key 7 . From the same key is read and the variable " r01 ", corresponding to the file name with the update, which should download the Trojan from the specified server. Through the same port 53rd TCP / IP protocol Trojan communicates with the specified server and requesting update version number, which is stored there. If the version number, located on the server, above your current version of the Trojan is written in the Key of seven in a row "Version" = ... , then it (the Trojan), download the update and overwrite your newer components, and the values of these variables and the version number in the key 7 will also be replaced with new values. At the same time their new components to overwrite the old Trojan saves in a subdirectory of " ... \ Update \ "of the directory that was installed on your PC component optimize.exe (see list above).
Since January 2005, the nomenclature the names of all components of the virus from some anti-virus companies have been replaced by the following: Anti-Virus Kaspersky AntiVirus : Trojan-Downloader.Win32.Dyfuca Antivirus BitDefender Professional : Trojan.Downloader.Dyfuca AntivirusDrWeb : Trojan.Dyfuca (some modifications are also detected as Trojan.DownLoader ) ComponentUniDist.inf not detected by, for one simple reason - it contains the usual code, which is characteristic for the majority of INF-files used to install different software. Therefore, if the file classified as a "virus", then most of the other similar files are harmless and would need to declare the virus. All the files detected by antivirus programs under the specified identity name, are not subject to treatment and should simply be removed, so k.are original components of the Trojan " DYFUCA ", and not the infected files.
The study of malicious code and development description: Broido Herman (aka VirusHunter)
Date Created: 07.04.2004
Date of last change: 04.03.2005
Author Description: Broido Herman (aka VirusHunter)
No comments:
Post a Comment