Rube Goldberg Trojan Works Hard for the Hijack

by

Share this news now.

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Money drives the motivation for most cybercrime, but it’s been a while since we’ve seen a criminal try to earn their money by driving traffic to a Web site, rather than just taking your cyberwallet.

Some anonymous Trojan creator has taken a bold new approach towards a malware work ethic with his or her new browser hijacker Trojan: It creates an entirely new file suffix, and handling instructions within Windows, so that the new (.nak) file suffix integrates seamlessly into the operating system. The Trojan then replaces just the file suffix on any Shortcut that points to either the IE or Firefox browser, on the desktop or in the Start menu, with the new suffix. You may not even have realized that Shortcut files have file extensions. They’re normally hidden.

The net effect is that, on an infected computer, if you launch IE or Firefox by double-clicking one of the shortcuts on the desktop or in the Start menu, it opens a page to a Chinese portal — regardless of the Home Page settings in either browser.

It sounds more impressive than it turned out to be, even if it was kind of surprising at first, and despite the fact that the creators walked three sides of a square to get there. The only good news is that the changes the Trojan makes to the system are easily reversible. And you can still open IE and Firefox normally by launching them from the command line, navigating to the application itself in Explorer, or by creating new shortcuts to the applications.

The trick of this new technique is how the creator instructs the operating system to handle files with the .nak extension. The registry keys connected to this extension, and its associated CLSID of {95247781-bea0-43dc-99e9-153822be6f9a}, instruct the operating system to treat files with the .nak extension like normal Windows shortcuts, but to pass the application that’s the target of the shortcut the following parameter:

http://%%77%%77%%77%%2E%%6D%%76%%34%%31%%39%%2E%%63%%6F%%6D

Look familiar? It does to me, too. It’s a hexadecimal-encoded URL, the kind I wrote about in an earlier blog post. The only reason I can surmise as to why the Trojan author decided to encode the URL this was is to mask the destination, though they’ve clearly done an amateur-hour job. In this case, the URL is www.mv419.com.

And because the Trojan only modifies the shortcuts to IE and Firefox in the most common locations where those shortcuts appear, by launching those shortcuts, Windows behaves like you’re clicking a bookmark file pointing to www.mv419.com.

What you end up with is a browser hijacking that has none of the characteristic behaviors of a hijacking: No Hosts file modification, and no changes to Home Page settings in the browsers’ preferences.

And just what do you find on www.mv419.com anyhow? As it turns out, browsers that load the URL are redirected to a page on another site, wwvv.in23.cn (yes that’s doubleyou, doubleyou, vee vee for those playing at home). And all in23.cn does is load, in a full-page frame, a third Web site, www.dh818.com — a generic-looking Chinese portal site, allegedly registered to someone at the Harbin Institute of Technology in China who uses the elite hacker handle “boymoon999” — that also happens to be blacklisted on various reputation services for (drumroll, please) being a source of malware. Hard to believe, I know, but there you have it.

Did I fail to mention that it also deletes all your browser favorites or shortcuts? How obnoxious is that?

And it shows that, somewhere out on the Internet, not only does some brain damaged cretin still think it’s completely OK to hijack browsers so a victim always loads the hijacker’s Web site, but the hijacker stands to benefit financially from his own utterly repugnant, though not outright criminal, behavior.
wordpress blog stats


Share this news now.