According to the IT security vendor's threat analyst Andrew Brandt, one of the latest 'movie sites' located in China gives users a lot more than the latest pirated movies and installs an Apache web server – as well as half a dozen keylogger and downloader payloads – disguised as components of legitimate apps.
Webroot says that the IT security industry is calling this type of malware Taobatuo.
In an analysis posted yesterday evening, Brandt says that, after fiddling with install Apache on a Windows box – a process that is difficult at the best of times, Infosecurity notes – he was amused to discover that the malware sample he had tested pulls down its own working, customised Apache installer.
The installer, he adds, comes along with a bunch of phishing trojans, keyloggers, and downloaders, all dressed up to look like the services you might see on a Microsoft-based web server.
"It just goes to show how much good these malware creators could accomplish, simply if they wanted to", he said, adding that this is clearly not the goal.
The malware, he explained – along with text files containing instructions for the malware – came from taobao.lylwc.com.
"The lylwc.com domain itself is quite a piece of work. It claims to offer free downloads or streams of current Hollywood movies, as well as an extensive library of films and TV shows", he said in his security blog.
"The operative word is 'claims' as when you try to view those movies, the site attempts to push a download of a trojan-ed installer for the QVOD media player", he added.
According to Brandt, he and his team have been seeing files originating from this domain since August, and there is evidence online that they have been circulating and infecting computers in China and elsewhere since March of this year.
The infection, he says, seems to begin when you run one of the executable installers – a process that could be invoked by a drive-by download.
"The malware executables all have .txt extensions, and are either self-extracting RAR archives or NSIS installer files", he said, adding that the main installer for the malware appears to be a DLL named Mixload.dll.
Brandt goes on to detail the exact steps that the malware undertakes to infect a computer system and tap a variety of high-profile brands and business – including Adobe, Microsoft and Oracle – to persuade users to install the infected files.
"All this leads me to believe that the creators must feel they are untouchable, untraceable, or otherwise beyond the reach of any law enforcement. The fact that these shenanigans have been going on for nearly a year indicate that they may be correct, or just arrogant", he said.
"If you've suddenly discovered Apache's httpd.exe service running on your machine, despite never having installed it, or ever using your computer as a web server, it might be time for a quick scan", he added.