Install one Trojan, get three more

Downloader Trojans are often used by cyber crooks to thoroughly infect systems in order to extract anything that might be of value to them.

Trojan.Badlib is a particularly effective piece of malware belonging to that particular category, effectively acting as a malware distribution network.

When Badlib is firstly installed and detects an Internet connection, it tries to reach a C&C server in order to receive commands from it. It searches for it on a number of hard-coded domains, and if it doesn’t find it, it proceeds to check out several IP addresses on a default list.

Once the C&C is contacted, it instructs the Trojan on where to download further malware. The response includes the number of files it has to download and their digital signature so as to make sure it downloads the right ones.

According to Symantec researchers, Badlib is currently downloading three distinct Trojans: Trojan.Badfaker, Trojan.Badminer, and Infostealer.Badface.

Trojan.Badfaker’s goal is to disable the AV solution on the infected computer and to hide that fact from the user. Once it detects and recognizes the running AV software, it modifies Windows to boot into safe mode when it next boots up.

Then, it deletes all the files and folders related to that AV it can find, but not before extracting the the icon from the main executable file, which it will continue to display in the system tray in order to preserve the illusion that the legitimate AV is still running.

Next, it proceeds to disable the Windows Firewall and warnings from Microsoft Security Center, and ends with occasionally showing fake warnings (in English or in Russian) about infections mimicking the (now disabled) legitimate AV.

Trojan.Badminer aims at using the power of the infected computer’s GPU to mine Bitcoins.

And finally, Infostealer.Badface’s goal is to harvest login credentials for a number of popular social networks. It does that by creating a local Web server through which the traffic destined for those sites is redirected.

Once the login credentials are recorded, the user is redirected on to the legitimate login page for those sites. And, as you probably already know, the collected credentials are sold on underground online markets, to be used by other criminals to hijack social networking accounts in order to use them for a wide variety of revenue-generating purposes.

“Given the domains used, the bilingual nature of the Trojan, the targets of its information theft activity and the locations of the computers specified in command-and-control traffic, it would appear to suggest that this malware is of Russian or Eastern European origin,” speculate the researchers and point out that the malware that is downloaded by Trojan.Badlib will probably change as time passes.

Don't miss