We spotted an interesting behavior from a Trojan dropper that belongs to a family of malware named Ponmocup. The file, update.exe (MD5 89f4ea9f0240239e0d97f202d22af325) leaves behind a payload that, among other things, modifies the Hosts file on infected computers to prevent users from visiting popular Bittorrent sites, including The Pirate Bay.
It’s an odd behavior for several reasons. We don’t see many Trojans modify the Hosts file anymore because such modifications are so easily reversed. But more to the point: Why would a criminal care whether anyone else be able to browse The Pirate Bay, a Web site known to host torrents of pirated, copyrighted material? And why also block Mininova, which changed its content model more than a year ago and no longer hosts copyrighted files? None of these things make sense.
It seems at first blush like the act of someone who fancies himself a copyright vigilante, sophisticated enough to build a custom tool such as this, but who isn’t smart enough to know which sites to block.
The Trojan originates from the followme.name domain, hosted in Russia. In addition to this domain, more than half the other domains hosted on the same IP address, 126.96.36.199, are known to Brightcloud as sites used for the distribution of malware, so it’s fair to say the lousy reputation is deserved. The Trojan’s properties identify it as something called Microsoft ScriptO version 6.0.6015.0, and in fact there really is a Windows component of that name and version number, used in Windows XP service pack 2, but the real component is a digitally signed DLL named scripto.dll about 57 kb in size; The Trojan is an unsigned 326 kb executable.
Once executed, it pauses, then drops and executes a payload executable with a name that changes each time the installer is run (MD5 aa14f39ee9c1907ab604f8e2a702f81b). The installer sets the permissions for the payload so that only the payload itself can do anything to itself, but those permissions are also easily bypassed in the Security tab of the file’s properties sheet.
The payload isn’t particularly sophisticated, with the solitary task of blocking three Bittorrent sites its goal. It’s this payload, which we classify to Trojan-Zoeken, that modifies the Hosts file then flushes the local DNS cache. The modified Hosts file contains the following lines, which on an infected system would prevent a user from browsing to any of these domains:
127.0.0.1 thepiratebay.org 127.0.0.1 www.thepiratebay.org 127.0.0.1 mininova.org 127.0.0.1 www.mininova.org 127.0.0.1 forum.mininova.org 127.0.0.1 blog.mininova.org 127.0.0.1 suprbay.org 127.0.0.1 www.suprbay.org
When this task is complete, it also contacts the victoryltd.net domain and sends a long query string to the server.
However, unlike most samples of Trojan-Zoeken we’ve seen, the file doesn’t download a mess of other payloads. On my test system it simply pegged the CPU and sat resident in memory, slowing the computer down and becoming a nuisance until I killed it with the Task Manager.
I haven’t devoted a great deal of time analyzing the Trojan, but it’s fair to say that if you find yourself unable to contact any of these sites, check your Hosts file for recent modifications, or just check to see if they’re actually online.