The File Infector Revival
The year 2006 saw the revival of file infectors, which insert malicious code into other executable files (making them stickier and more difficult to remove than more common worms and Trojan horse programs). As much as 25% of all cases processed by Trend Micro in 2006 were related to file infectors - the second largest association of cases to a malware type (Trojans accounted for 43%).
The "PE_FUJACKS" File Infector
PE_FUJACKS, a young family of file infectors discovered in the last quarter of 2006, has taken on the traits that characterize the current threat landscape: multi-component, sequential, focused, Web-based, and profit driven. As a result, PE_FUJACKS further blurs the distinction between threat types. More than a threat type, PE_FUJACKS represents an elaborate attack that is carefully launched to achieve a sinister goal.
As a file infector, PE_FUJACKS searches for .EXE, .SCR, .PIF, and .COM files to which it appends its code and creates an infection marker to avoid re-infection. PE_FUJACKS also infects .ASP, .ASPX, .HTM, .HTML., .JSP, and .PHP files by appending its code using an IFrame. This routine creates a second platoon to carry on its download routine, just in case a clever user extinguishes the front lines provided by the infected executables. In addition, if the affected system is a Web server or if a user uploads infected files on the Internet, this method provides another way by which this malware downloads other threats into unsuspecting users' computers.
To further achieve its goals, FUJACKS needs to propagate not only within a computer, as file infection achieves, but beyond it, into the network. It thus drops copies of itself into network shares using an attractive file name: GameSetup.exe. A user in the network who falls for this social engineering scheme is bound to be affected next, as the new system becomes a springboard for further propagation.
Additionally, PE_FUJACKS propagates via instant messaging, further fueling the resurrection of IM as a popular vector for threats. It sends instant messages that contain a link pointing to a Web site that, in turn, contains scripts or exploit codes that automatically download a copy of PE_FUJACKS on the system, without prompting the user.
PE_FUJACKS targets the Chinese computing population. Designed to run on Chinese Windows platforms, it uses messages in Chinese in its propagation via instant messaging, as well as searches for Chinese characters in running processes that it aims to terminate. Although technically it can run on other platforms, English platforms do not read its code correctly.
What FUJACKS Does
FUJACKS connects to a Web site to download a text file, which contains other Web sites to which it connects and downloads other files. The malware author can change the contents of the text file at any time. Thus, the cyber criminal controls what FUJACKS downloads, and therefore determines the overall FUJACKS attack. The author can, for instance, sell the URLs to adware companies that are willing to pay to automatically install their annoying little programs on FUJACKS-infected systems.
Indeed, it has been verified that the contents of the text file constantly change. But one piece of content does not change: a URL that points to an updated copy of PE_FUJACKS. This provides it the capability to constantly improve - the ability to dodge virus protection.
One of the downloaded files is a Trojan spyware, revealing the profit-driven nature of FUJACKS' attack. The spyware is a member of the TSPY_AGENT family of information stealers. This Trojan spyware logs user keystrokes to steal information related to Zhengtu Online, a new, fast-growing Chinese online game. Like any other online game, Zhengtu Online allows users to purchase virtual assets using real money. Needless to say, huge amounts of real money are involved here. By stealing user information, attackers can take control of financial accounts.
Yes, FUJACKS is concentrating on Internet users in China, but it should serve as a reminder that all Internet users are vulnerable, as the same threat technologies and techniques are used across the globe in regional and targeted attacks.
