An Alureon Trojan variant designed to extract the location of backup C&C centers from images disseminated across the Web has been discovered by a Microsoft researcher.
The Alureon Trojan family is a well-known for its data-stealing ways. The Trojan is designed to gather confidential information (usernames, passwords, credit card data), transmit malicious data to the infected computer and has the ability to modify DNS settings on that computer so that it may do what it was programmed to do.
This particular strain, often downloaded by the FakeSysdef “fake defragmenter” program family, has recently begun downloading an additional component after it gained a foothold into a system.
After having decrypted and analyzed this component (“com32”), the researcher has discovered that it added cryptography and JPG processing functionality to the Trojan. In addition, the configuration file held a number of URLs hosted at LiveJournal and WordPress.
“The content of each page appeared to be benign, containing numerous and varied JPGs hosted on the free image provider ‘imageshack.us’,” he says. But a look at the code for the retrieval of the pages revealed that specific JPG files would be retrieved by the Trojan along with a 61-character ASCII string that looked a lot like a password.
“After further investigation, I was able to determine that embedded within each of the JPGs was a complete configuration file using steganography,” he revealed. “One of the critical sections of the configuration file contains the list of command and control servers. The purpose of the publicly hosted data was revealed – it’s there to provide a layer of redundancy and defense against existing domains that might become unavailable.”