February 11, 2013 at 18:21What do Win32 / Redyms and TDL4 have in common?
Since the beginning of 2013, we started tracking an interesting family of Trojan programs - Win32 / Redyms. This threat is noteworthy in that it uses the technique of spoofing the results of search queries of popular search engines. We found that it received the greatest distribution in the USA and Canada . It is in these countries that the cybercriminal market offers the highest prices for redirecting (clicking) a user from popular search engines to malicious or advertising resources.
Our lead analyst Alexander Matrosovperformed an in-depth analysis of Win32 / Redyms. As a result, the similarity of this malicious code with another program was discovered - Win32 / Agent.TJO, which is also known as part of the Olmarik / TDL4 family. Win32 / Agent.TJO is a user-mode trojan based on the clicker mechanism of one of the TDL4 components. Both TDL4, Win32 / Agent.TJO, and Win32 / Redyms use similar mechanisms for managing network traffic that is transmitted by the browser. To control traffic, the bot intercepts several functions from the Microsoft Windows Socket Provider library (mswsock.dll):
Fig. Intercepting the mswsock.dll library functions.
All three families of these malicious programs use the same methods of intercepting functions, as well as interacting with the C&C server encrypted using the RC4 encryption algorithm.
The graph of the function responsible for interacting with the C&C server is as follows:
Fig. C&C function graph.
Another interesting feature of Win32 / Redyms was discovered in the Domain Generation Algorithm (DGA), which selects C&C servers for interaction. This algorithm is based on simple alphabetical permutations and other changes, in accordance with the initial constant. The figures below show a reconstruction of this algorithm in python, as well as regular decompiled code.
Fig. Reconstructed python DGA function code.
Fig. Decompiled DGA function code.
Fig. List of C&C malicious code servers.
The first domain names from the list shown in the figure above were registered in mid-December 2012 - early January 2013. This indirectly indicates that Win32 / Redyms has been distributed since the end of December.
Win32 / Redyms embeds its malicious code in all active processes. If the embedded code detects that it works in a browser application, it creates a special thread in this process, and also intercepts functions from the mswsock.dll library.
Fig. Part of the Win32 / Redyms malicious code that creates a special thread in the browser process.
The injected code intercepts network activity in a running browser process and tries to find search engines from the list shown in the figure below.
Fig. List of search engines that track malicious code.
If it detects search engine activity, all search requests are redirected to the C&C command server, and the URL links provided during the search request are replaced according to those received from C&C. The URL verification code is based on the interception of the WSPSend () function, which uses AVL trees as a structure for storing data. To work with AVL tree structures, the malicious code uses the RTL_GENERIC_TABLE structure from kernel32.dll. TDL4 uses the same ideas in the cmd.dll user-mode component.
Our lead analyst Alexander Matrosovperformed an in-depth analysis of Win32 / Redyms. As a result, the similarity of this malicious code with another program was discovered - Win32 / Agent.TJO, which is also known as part of the Olmarik / TDL4 family. Win32 / Agent.TJO is a user-mode trojan based on the clicker mechanism of one of the TDL4 components. Both TDL4, Win32 / Agent.TJO, and Win32 / Redyms use similar mechanisms for managing network traffic that is transmitted by the browser. To control traffic, the bot intercepts several functions from the Microsoft Windows Socket Provider library (mswsock.dll):
Fig. Intercepting the mswsock.dll library functions.
All three families of these malicious programs use the same methods of intercepting functions, as well as interacting with the C&C server encrypted using the RC4 encryption algorithm.
The graph of the function responsible for interacting with the C&C server is as follows:
Fig. C&C function graph.
Another interesting feature of Win32 / Redyms was discovered in the Domain Generation Algorithm (DGA), which selects C&C servers for interaction. This algorithm is based on simple alphabetical permutations and other changes, in accordance with the initial constant. The figures below show a reconstruction of this algorithm in python, as well as regular decompiled code.
Fig. Reconstructed python DGA function code.
Fig. Decompiled DGA function code.
Fig. List of C&C malicious code servers.
The first domain names from the list shown in the figure above were registered in mid-December 2012 - early January 2013. This indirectly indicates that Win32 / Redyms has been distributed since the end of December.
Win32 / Redyms embeds its malicious code in all active processes. If the embedded code detects that it works in a browser application, it creates a special thread in this process, and also intercepts functions from the mswsock.dll library.
Fig. Part of the Win32 / Redyms malicious code that creates a special thread in the browser process.
The injected code intercepts network activity in a running browser process and tries to find search engines from the list shown in the figure below.
Fig. List of search engines that track malicious code.
If it detects search engine activity, all search requests are redirected to the C&C command server, and the URL links provided during the search request are replaced according to those received from C&C. The URL verification code is based on the interception of the WSPSend () function, which uses AVL trees as a structure for storing data. To work with AVL tree structures, the malicious code uses the RTL_GENERIC_TABLE structure from kernel32.dll. TDL4 uses the same ideas in the cmd.dll user-mode component.