By Andrew Brandt
In September, I posted an item about a dropper which we call Trojan-Dropper-Headshot. This malware delivers everything including the kitchen sink when it infects your system. It has an absolute ton of payloads, any of which on their own constitute a serious problem. All together, they’re a nightmare.
Among the payloads, we’ve seen this monstrosity drop downloaders (Trojan-Agent-TDSS and Trojan-Downloader-Ncahp, aka Bubnix), adware (Virtumonde, Street-Ads, and Sky-banners), keyloggers (Zbot and LDpinch), clickfraud Trojans (Trojan-Clicker-Vesloruki and at least three other generic clickers), and a Rogue AV called Antivir Solution Pro. So this is one nasty beast that has no qualms about using the shotgun approach to malware infections.
But we also noticed that it has added yet another intriguing installer to its panoply of pests: It’s a small executable named seupd.exe (search engine updater?) that makes two minor (but obnoxious) modifications to Firefox. The result of these modifications changes the behavior of Firefox’s search bar, the small box that lets you send queries directly to search engines, located to the right of the Address Bar.
The modifications are not immediately apparent unless you try to search Google for something, using either the Search Box or the Address Bar: Instead of sending your search to Google, the browser submits search queries to one of six different domains not owned by Google, but which appear to use the Google API to provide results — and, presumably, earn a little ad revenue on the side.