Every once in a while, you hear whispers or rumors about specially-crafted, targeted malware designed to steal a specific piece of data from a particular victim. The data thieves, in these limited cases, tend to be clever, thoughtful, and methodical in both the creation and deployment of their creations.
Rarely do malware researchers encounter these files. But it does happen occasionally, and I thought I had stumbled upon one of these kinds of spies a few weeks ago. It’s a peculiar Trojan horse which has been written not as a standard Windows application, but as an ObjectARX application — an application which can only run if you have AutoCAD, the engineering and design program from AutoDesk, installed on your PC.
Now, why do you suppose a malware author would write a Trojan that can only run on computers with AutoCAD; a Trojan that is so well designed that it prevents antivirus applications from running, and downloads specific, tailored updates for itself, depending on which version of AutoCAD the victim has on his or her PC?
Sounds a lot like a slick tool for corporate espionage, right? Well, not quite. Fark: It’s just another stupid adware client. We’re calling this dumb gimmick Trojan-Pigrig.
Here’s how it works: A small stub application (which runs under Windows) scans the registry to determine if you have AutoCAD installed, and if so, which version. Once it makes that determination, it then contacts a server based in China and pulls down code customized to work with one of the following releases of AutoCAD: 2000, 2004, 2005, 2006, 2007, 2008, or 2009. The files are loaded into AutoCAD’s initialization scripts so the next time the application is launched, the Trojan loads right along with it.
Once it’s been executed once in AutoCAD, the game is afoot, and the Trojan makes a number of system modifications: It downloads more payloads, and copies three files with .dat extensions to a folder it creates on the top level of any other connected hard drive, named Recycled — note that this isn’t the same thing as the “RECYCLER” folder on each drive, which is the Windows Recycle Bin.
Clearly, the spy doesn’t expect that you’ll have a non-writable drive attached to your system. This is the error message that appears when it attempts to copy itself to my CD-ROM drive.
It also loads two DLLs — one runs as a service, the other as a Browser Helper Object. The latter refers to itself as “Quickflash” and acts as the actual adware client; the former hijacks registry keys used by a legitimate (though rarely used) Windows service called the RIP Listener. The adware triggers itself to activate when any of the following URLs are loaded into the browser.
Pigrig calls this service “Remote IPRIP Service” and describes it as “Listener reads Remote Routing Information Protocol (RIP) packets.” Whatever. In reality, it acts as a download client, copies the payloads to other drives, and stands guard for the rest of the components: If it detects any application tampering with the files or registry keys used to load it or other parts of the malware, it immediately shuts down the system without warning.
The malware isn’t well detected by other vendors, which isn’t surprising since it requires significant amounts of manual research to tease it out into the open. And even though it’s just an adware client, it’s a pernicious beast and takes a few sweeps to remove. With this one, be sure to keep your Communications Shield active: We’re blocking all the domains the spy uses to download its components, and so far this protection appears to be the spy’s Achilles’ heel.