Researchers say that the the purpose of the infection is to make money for the attacker by selling security risks and advertisement clicks.
Infected machines serve up compromised browser advertising pop-ups. “From what we have seen, if a button on the PC Speed Test or PC Performer Test pop-up window is clicked, the browser redirects the user to a security risk download site,” said Symantec researcher Takashi Katsuki. “The ‘how fast can you build your muscle mass?’ pop-up window looks like an advertisement, but at the time of writing nothing happens if the button is clicked. We have only seen the ‘captcha’ pop-up window in one attack and we have not yet analyzed it to see what it does.”
The malware works by inserting a JavaScript tag that loads the malicious content, which overlays a pop-up window on the bottom left corner of the browser. The legitimate site itself is not actually infected nor connected with the pop-up content in any way; the JavaScript is only inserted into the compromised computer’s browser and not the web server.
The Spachanel trojan uses a new tactic by malware authors to open up and protect a solid network connection between compromised computers and their own servers, employing the SPF email validation system to ensure that the malware can receive commands and be updated.
“Communication between the malware and the malware servers may be filtered by a gateway or local firewall, or blocked by an intrusion prevention system (IPS),” explained Katsuki. “Consequently, malware authors try to find more secure methods of providing communication between the malware and the servers. For example…Backdoor.Makadocs uses the Google docs viewer function as a proxy to maintain a solid connection between the malware and its servers.”
Now, SPF is being used the same way, because it provides an important benefit: domains or IP addresses in SPF can be obtained from a DNS request, and that allows it to better evade detection.
“Why did the attacker use SPF to get the malicious domains or IP addresses? My guess would be that it is because the attacker wants to hide communication in legitimate DNS queries,” Katsuki noted. “If this malware connects to the attacker’s server by a higher port number using the original protocol, it may be filtered by a gateway or local firewall, or blocked by an IPS. In some cases, specific domains are blocked by a local DNS server, but this malware generates a domain that is rarely filtered.”
Furthermore, DNS requests are generally speaking not sent directly. Usually there is a DNS cache server in the network or in the ISP network, which makes it difficult for a firewall to filter it.
As always, businesses and consumers can protect themselves by ensuring that machines have the latest software patches installed and that antivirus definitions are up-to-date.