The Bohu family of Trojans has recently earned some media attention. It’s a common malware family that is prevalent in Chinese-speaking part of the world. One of its variants, TROJ_FKEPLAYR.CH, is the infection vector for GORIADU malware, which is usually used to hijack network traffic. The following graph shows the spread of GORIADU malware
In this particular attack, Goriadu malware was used to block the network traffic related to the in-the-cloud features of certain antivirus products.
TROJ_GORIADU.SMM is the component responsible for hijacking the affected system’s network traffic. The targeted applications appear to be popular Chinese antivirus solutions. Trend Micro products and URLs are not on the list of targeted products and URLs.
In the past, many malware variants have blocked URLs related to antivirus companies. However, they usually did so fairly indiscriminately, blocking the entire domains of companies (i.e., for Trend Micro the entire trendmicro.com domain would be blocked.) However, this was fairly easy to detect.
Instead, TROJ_GORIADU.SMM’s blocking specifically targets “in the cloud” functionality by blocking only the servers used for these services. It does this by blocking very specific URLs, such that one could access the websites of the targeted products yet their “cloud” features would not work.
Trend Micro researchers are digging deeper into this issue. These particular behaviors meant to evade detection (appending of garbage code and blocking access to antivirus sites and related services) are definitely not unheard of but they do highlight the importance of protecting computers at all possible levels, such as the URL and file level.
Special thanks to Jamz Yaneza, Patrick Estavillo, Edgardo Diaz, Jr., Jasper Manuel and King Viray for contributing to this post.
Update as of January 26, 2010, 10:00 PM Pacific Time
Upon further analysis, we’ve found that TROJ_FKEPLAYR.CH has two main components: TROJ_GORIADU.SMX and TROJ_GORIADU.SMZ. TROJ_GORIADU.SMZ acts as the installer for the fake video player. TROJ_GORIADU.SMX has a wide variety of behaviors, namely:
- Change the DNS servers used by the system
- Append random code to any file
- Decode and drop a file which is detected as TROJ_GORIADU.DRP
TROJ_GORIADU.DRP drops several other GORIADU variants: TROJ_GORIADU.SMC, TROJ_GORIADU.SMM, TROJ_GORIADU.SMW, and TROJ_GORIADU.SMY. TROJ_GORIADU.SMC has Layered Service Provider (LSP) capabilities and is still undergoing further analysis.