By Andrew Brandt
In the world of first-person shooter games, getting the most headshots – hits on the opponent which instantly take the opponent’s avatar out of the game — is a prized goal. The headshot is the quickest way to dispatch a foe in virtually every shooter, which is why the file name of a malware sample, currently in circulation, stood out.
The file, yogetheadshot.php.exe (VT), is a dropper, a glorified bucket designed to tip over and spill other malware all over a PC. But where other droppers might leave behind a handful of payloads, this one utterly decimated a testbed PC with a malware headshot — an unusually overt infection that, defying conventional wisdom about malware infections, took no apparent effort to mask its behavior or remain low key.
The file, extracted from network traffic recorded while a test system got manhandled by a drive-by download site, was only one of several executable payloads that originated from the same domain hosting the drive-by.
But this sole dropper was more than capable of delivering the terminal blow to a middle aged Windows XP box. We first saw it appear on September 7th, but it has become more widespread since then.
(Update, 22 Sept.: Here’s a video that shows what happens on a system when someone executes this dropper. The dropper is near the upper-left corner of the screen. The rest of the screen is taken up with Process Explorer, which lets you see just how many payloads the dropper delivers.)
In the first 2 seconds, Trojan-Dropper-Headshot drops four .exe files into the Temp folder and executes them.
In the next second, four more executables are running, and rundll32 is loading a file with a .tmp extension in the same location. The next second, two more files load, dropping two more payloads, and a service named Windows System Backup Dumper (winbudump.exe) fires up. A second later, two final executables launch from the Temp folder, bringing the total to 15 payloads after eight seconds.
One of the payloads is something that calls itself the Desktop Cleanup Wizard, though it bears no resemblance to the Windows system tool of the same name. It creates two run keys in the Registry for itself (named “acronis toolbar helper” and “desktop cleanup wizard“) both of which point to the file’s location: inside the Local Settings folder for the currently logged-in user, in \Application Data\Desktop Cleanup Wizard\dskclnwiz.dll. The file also creates a registry key in the HKLM and HKCU hive, under software\microsoft\amnesiac.
Several of the payloaders are ad-clickers and downloaders. The ad-clicker, Trojan-Clicker-Vesloruki, creates a service named Follower (fFollower.exe) that drops a DLL and immediately hooks it to one of the running system processes. When the clicker is loaded, it rapidly visits dozens of pornographic Web sites in the background, choking network traffic almost to a standstill. The program refers to a “klikiRandomizer” in its strings.
One of the sites it visits delivers a drive-by download of a TDSS downloader.
Another of the components has been built to mimic the File Properties of something called the RemoteCommand Module from Symantec’s Ghost disk imaging application.
Another downloader dropped by Headhsot, Trojan-Downloader-Ncahp, pulls down at least four more payloads, depending on the instructions it retrieves from its command and control server. One of those payloads is always Trojan-Backdoor-Zbot, a notorious password stealer. The downloaders contact a number of domains well known to be used for malicious purposes, including bigpayinfos.com, glures.com, solaruploaderz.com, bestviewbars.com, autouploaders.net, and promotds.com.
Needless to say, by several minutes into the initial infection, the system is completely owned by the malware: More than 40 executable programs have been launched on the system. Some have done their job and quit (and self-deleted), while others remain active.
It took several days to parse out all the malwarey goodness. The list of malware retrieved postmortem from the testbed PC includes: Worm-Koobface; Trojan-Downloader-Ncahp; Trojan-Clicker-Vesloruki; Trojan-Backdoor-Zbot; Trojan-Pushu; and Trojan-Agent-TDSS. We created two new definitions for two of the payloads: Adware-DiskClean and Trojan-Agent-Dump. We also created a new definition for the Headshot dropper. Several of the payloads were too generic to be classified; These files made small changes, such as modifying the Windows Firewall, so they ended up in Trojan-Agent.gen and Trojan.gen.