By Andrew Brandt
While it is far from the first Trojan ever to simply fail to execute under Windows XP, it definitely caught our eye that a variant of Trojan-Downloader-Tacticlol distributed last week in a spam campaign only fully executed under Windows Vista or newer operating systems. It may have been just a fluke, but repeated tests with both a virtual machine and real hardware running Windows XP at various patch levels showed that the Trojan we received attached to a spam message simply quit when executed in an XP environment, but ran smoothly and did all its planned dirty work on a Windows Vista testbed.
The Trojan, which is capable of causing a devastating malware infection, drops a DLL with an odd name made up of random letters into the system32 folder, then registers the DLL so it loads the next time the computer boots up. After a reboot, it kicks into full swing, pulling down a variety of malware installers.
The spam message (we got a bunch of different variations, all with the same attachment) came from a variety of falsified return addresses. The message, with a subject of Statement of fees 2009/2010 contains an utterly incomprehensible body, which reads, in part: “The accomodation is dealt with by another section and I have passed your request on to them today.” It looks very similar to a message I get from the toll road authority here in Colorado that uses electronic toll collection. The real entity emails a statement every so often with an attached PDF, though the real toll road statement doesn’t appear to come from the domains “reclusivebillionaire.com” or “reelsolutions.com.” Nice try, sparky.
More interestingly, though, is the idea that this Trojan, which is so prevalent and widely distributed, may signal the start of a trend where malware authors begin turning away from XP as the dominant operating system they target.
As with previous Tacticlol messages, the spam’s attachment is a .zip file. In this case, the attachment named Statement_of_Fees_2009-2010.zip contains a roughly 50KB malware installer named Statement_of_Fees_2009-2010.DOC.exe – a program with an icon designed to fool a casual user into thinking the executable is actually a Microsoft Word 2007 document, and an extra file extension to trick users who still foolishly have the “Hide File Extensions for Known File Types” option selected in their Folder settings for Windows Explorer. If you are one of these people, click Tools, Folder Options in any Explorer window, then switch to the View tab and clear this checkbox.
With the exception of not working properly under XP, the Trojan behaves identically to prior versions: It retrieves instructions from a command-and-control server to pull down executable payloads from other servers, as well as add some “backup” CnC server addresses to the Windows Registry under subkeys beneath the HKLM\software\classes\idid path. This particular version pulled down a wide variety of payloads, from a Zbot keylogger, to a Pushu spam bot, to another nasty downloader called TDSS, to a new version of a rogue AV that calls itself Sysinternals Antivirus (a play on the name of the highly reputable software company founded by Windows experts Mark Russinovich and Bryce Cogswell, later purchased by Microsoft).
For some time, the conventional wisdom in malware analysis has been that, if you want to do research in a real test environment, it makes sense to use the oldest, most vulnerable, most attacked version of Windows. This development of a Trojan which simply rejects Windows XP as a platform for infection may signal that it’s time for researchers to broaden their horizons and look at these newest, supposedly more secure platforms, more carefully than we may have done in the past.