New Adware Trojan plays continuous audio ads (June 14, 2013)

The Dell SonicWALL Threats Research team have discovered a new adware Trojan that plays a continous stream of audio advertisements in the background. The content of the ads can range from dating to politics. The audio can originate from various sources such as video links from youtube pages.

Infection Cycle:

The Trojan uses the following icon:

The following is a sample of DNS queries made by the Trojan:

The Trojan adds the following files to the filesystem:

• %PROGRAMFILES%K14Rfeedsavcodec-53.dll
• %PROGRAMFILES%K14Rfeedsavformat-53.dll
• %PROGRAMFILES%K14Rfeedsavutil-51.dll
• %PROGRAMFILES%K14RfeedsAwesomium.dll
• %PROGRAMFILES%K14Rfeedsawesomium.log
• %PROGRAMFILES%K14Rfeedsawesomium_pak_utility.exe
• %PROGRAMFILES%K14Rfeedsawesomium_process.exe
• %PROGRAMFILES%K14RfeedsCachedata_0
• %PROGRAMFILES%K14RfeedsCachedata_1
• %PROGRAMFILES%K14RfeedsCachedata_2
• %PROGRAMFILES%K14RfeedsCachedata_3
• %PROGRAMFILES%K14RfeedsCachef_000001 – 00004b
• %PROGRAMFILES%K14RfeedsCacheindex
• %PROGRAMFILES%K14RfeedsCookies
• %PROGRAMFILES%K14Rfeedsgoogle_result.jpg
• %PROGRAMFILES%K14Rfeedsicudt.dll
• %PROGRAMFILES%K14Rfeedskworker.exe
• %PROGRAMFILES%K14RfeedslibEGL.dll
• %PROGRAMFILES%K14RfeedslibGLESv2.dll
• %PROGRAMFILES%K14RfeedsLocal Storage
• %PROGRAMFILES%K14RfeedsLocal Storagehttps_www.google.com_0.localstorage
• %PROGRAMFILES%K14Rfeedsreferers.txt
• %PROGRAMFILES%K14RfeedsSDL.dll
• %PROGRAMFILES%K14Rfeedssilentium.exe [Detected as GAV: Clicker.BDIK (Adware)]
• %PROGRAMFILES%K14Rfeedsx86NPSWF32_11_5_502_135.dll
• %PROGRAMFILES%K14Rfeedsyoutube_result.jpg
• %PROGRAMFILES%K14Rlupdater.exe [Detected as GAV: MalAgent.G_2412 (Trojan)]
• %PROGRAMFILES%K14Rsnupdater.exe [Detected as GAV: Clicker.BDHP (Adware)]
• %PROGRAMFILES%K14Ruvname.conf
• %PROGRAMFILES%K14Rversions.conf
• %PROGRAMFILES%K14RWindowsService.exe [Detected as GAV: Clicker.BBII (Adware)]

The cache directory contains HTML data from webpages that it visits.

referers.txt contains the following data:

twitter|http://t.co/
pinterest|http://pinterest.com/pin/
facebook|http://www.facebook.com/l.php?u=%s&h=%s&s=1

The Trojan requests a list of modules to download from a remote webserver and proceeds to download them. The modules are required for audio playback and downloading ads from sites:

The Trojan spawns multiple copies of silentium.exe and awesomium_process.exe:

An instance of silentium.exe was observed being spawned with the following commandline showing the source of one of the ads from youtube.com:

After a short period of time the victim is bombarded with various audio ads that play continuously in the background. Due to a number of instances of silentium.exe running, multiple ads are played over each other. The above commandline resulted in audio advertisments from a dating site being played in the background.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: Clicker.BDIK (Adware)
• GAV: Clicker.BDHP (Adware)
• GAV: Clicker.BBII (Adware)
• GAV: Clicker.BDHP_2 (Adware)
• GAV: MalAgent.G_2412 (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.