Trojan with sophisticated features served through Social Networks (Dec 06, 2012)


Dell SonicWALL Threats Research team discovered a new Trojan spreading through malicious links in Facebook messages. This Trojan is very sophisticated and sports various features such as Anti-debugging code, self modifying code, SEH (Structured Exception Handler) modification, code injection, Spam module, Bitcoin mining module, Facebook messaging module and encrypted C&C communication. We saw various links through which this Trojan was being served. Once these links are clicked, it downloads the Trojan and also often displays an enticing message urging the user to run the executable. One such instance is shown below:

The executable when downloaded is as shown below:

Infection Cycle

  • The Trojan when executed creates a copy of itself in:

    %userprofile%fnph.exe [Detected as GAV: Injector.ZTL (Trojan)]

  • It creates the following registry entry ensuring that it automatically starts on system reboot

    • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun:MSConfig:”%userprofile%fnph.exe”
  • It has self modifying code which creates a custom IAT(Import Address Table) during runtime

  • As seen below it adds a custom exception handling routine to the Structured Exception Handler (SEH) chain in the Thread Environment Block (TEB) of the process. This handling routine contains logic that is triggered during runtime.

The self modifying portion of the code creates an instance of svchost.exe and injects code in to it. The injected code in svchost.exe communicates with a remote C&C server and was also found containing various other interesting modules discussed below:

  • It communicates with a remote server over Port 443 using a custom encryption protocol. We observed it communicating with the following hardcoded remote servers:

  • It also contains a module to send out emails. It does this by querying various public MX servers and attempts to relay emails through them. During a controlled run we observed the following queries being generated (many more were found in memory):

  • We discovered a worm module with the following hardcoded Facebook interfaces in order to spread via chat messages:

  • We saw the following hardcoded bitcoin mining URL’s with account information:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV:Injector.ZTL (Trojan)
  • GAV:Buzus.MTFH (Trojan)
  • GAV:Buzus.MTED (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.