CrimeSpider Botnet serves up explicit webpages (Sep 28, 2012)
Dell Sonicwall Threats research team have discovered a new Trojan in the wild called CrimeSpider. The Trojan’s primary objective appears to be aimed at displaying webpages that contain explicit content on the compromised machine.
Upon infection the Trojan periodically brings up various pornographic webpages in fullscreen mode:
The pages lead to explicit pay-per-access video chat rooms.
The Trojan creates the following file on the filesystem:
- %APPDATA%jusched.exe [Detected as GAV: CSpider (Trojan)]
The Trojan creates the following key in the Windows registry to enable startup after reboot:
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun Java(TM) Platform SE Auto Updater “%APPDATA%jusched.exe start 4038-6D81”
Below is a sample of DNS requests made by the Trojan:
- dl.dropbox.com
- brio.jp
- www.cameraboys.com
- www.joyourself.com
- www.a-cameraboys.com
- www.a-joyourself.com
- www.livejasmin.com
- www.mycams.com
- www.xxxtrance.com
- brokenelastihear.a-cameraboys.com
- bu5inka.a-cameraboys.com
- carmelgoddess.a-cameraboys.com
- cassiana_nl.a-cameraboys.com
- cherrylipss.a-cameraboys.com
- notmarye.a-joyourself.com
- crazyduo20.a-joyourself.com
- denisa_nl.a-joyourself.com
- d31qbv1cthcecs.cloudfront.net
The Trojan obtains a list of C&C servers from a dropbox user account:
Once the list of C&C servers has been obtained it contacts each server to report infection and to request webpages to display on the compromised machine:
Below is a list of action requests made to C&C servers:
action=reg&key=action=updateaction=uplinkaction=geturl&key=action=statusaction=apu&url=action=uu&url=Below is a list of status messages that are returned from C&C servers:
CrimeSpider.Reg.OKCrimeSpider.URL.MissingCrimeSpider.URL.ErrorCrimeSpider.URLCrimeSpider.BHCrimeSpider.HLCrimeSpider.ActiveSonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
- GAV: CSpider (Trojan)
