Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2013
    S M T W T F S
    « Aug   Oct »
    1234567
    891011121314
    15161718192021
    22232425262728
    2930  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for September 6th, 2013




    In a previous post, we discussed how the rise in the number of Tor users that was directly attributed to the Mevade malware. In this post, we will look into the details of the Mevade malware and how it first arrived on user systems.

    The first batch of Mevade samples (detected as BKDR_MEVADE.A) we gathered was downloaded by a malicious file named FlashPlayerUpdateService.exe (detected as TROJ_DLOADE.FBV). (The legitimate Flash updater uses the same file name.) The two files can be differentiated by examining the file properties. The legitimate version is signed, while the malicious version is not. In addition, the version numbers are different.

    Figure 1. TROJ_DLOADE.FBV file properties

    Figures 2 and 3. Signed legitimate file

    The backdoor communicates to its C&C server via HTTP to receive commands, which include updating a copy of itself and connecting to a specific location using SSH to secure its communication.

    As for TROJ_DLOADE.FBV, we’ve found that the URLs it uses to access its C&C servers has the following pattern:

    • http://{malicious domain}/updater/{32 random hexadecimal characters}/{1 digit number}

    The IP addresses that host these C&C servers are located in Russia.

    Looking into the feedback data provided by the Smart Protection Network, TROJ_DLOADE.FBV was found in multiple countries, with Japan and the United States being the most affected.

    Table 1. Countries affected by TROJ_DLOADE.FBV

    BKDR_MEVADE.A shows a different distribution, which highlights that TROJ_DLOADE.FBV is not just being used to distribute Mevade:

    Table 2. Countries affected by BKDR_MEVADE.A

    In addition to the Mevade malware itself, we saw that ADW_BPROTECT had also been downloaded onto affected systems. This is expected for Mevade, as we noted earlier that it is linked to cybercriminals responsible for the distribution of adware. This downloading of adware is consistent with our findings that the Mevade botnet is possibly monetized via installing adware and toolbars. Its distribution is more similar to the original downloader malware:

    Table 3. Countries affected by ADW_BPROTECT

    Newer versions of Mevade (BKDR_MEVADE.B and BKDR_MEVADE.C) no longer use SSH; instead they use the Tor network to hide their network traffic. This can help cover their activity online, but otherwise the behavior and propagation is identical.

    Table 4. Countries affected by BKDR_MEVADE.C

    How the malware arrives into the system, however, is still under investigation. We will update the blog should we find more information about the infection vector. Still, users must observe best computing practice and to avoid visiting and downloading files from unverified websites or links from email, social media etc. Always update the system with the latest software security patch. Trend Micro detects and deletes the malware cited in this blog entry.

    With analysis from Eduardo Altares, Alvin Bacani, and Marvin Cruz.

     
    Posted in Bad Sites, Malware | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice