An interesting tactic for hiding a Trojan has recently been spotted by Symantec researchers.
Instead of using entirely their own malicious code, the malware authors have decided to take advantage of the code belonging to the KingSoft WebShield browser protection software (part of the KingSoft Internet Security solution).
“The interesting part of this package is in its configuration, which allows an opportunity for malicious intent,” explains researcher ?â€°amonn Young. “Kingsoft WebShield has the ability to lock the home page to a specific domain as well as to redirect URLs based entirely on plain text configuration files. This means that a person with malicious intent can repackage it using malicious configuration files and use this as a home-made Trojan package.”
And so they did. The new package contains the legitimate software and its support components, but also two configuration files that practically modify it into the Trojan.
Once the apparently legitimate software is installed and running, one of these files makes it so that the home page is changed to one of the designated URLs – which house advertisement link farms – and locked so that the user can’t change it.
The other one makes sure that if a user wants to visit one a number of popular domains listed in it, he is also redirected to one of the aforementioned designated URLs.
The authors of the malware are likely to be Chinese, and so are the targeted users. The misused legitimate software is manufactured by Chinese software developer Kingsoft, and all the websites – the advertisement link farms and the domains from which the user is redirected – cater to Chinese users.
Another interesting thing about this Trojan is that deletes all Quick Launch icons except for the Internet Explorer one. And if there isn’t one, it creates it. Since the whole package works as they want to only in Internet Explorer, this is a rather (too) obvious way to make sure the user uses only that browser.
Since Kingsoft WebShield works as it usually does, the user might not spot that there’s something wrong with his computer right away upon installation of the tainted package. And even when he finally gets suspicious about the constant redirection, it will take a while before he learns how to deinstall it since the uninstaller has been omitted.
All in all, the authors of this improvised Trojan have manufactured an annoying but not very dangerous piece of malware. Unfortunately, it seems to me that it is only a matter of time until someone changes the configuration files again and the users are redirected to more malicious sites.