Trojan/Badlib identified as malware distribution network

According to the security vendor's team – Hon Lau and Poul Jensen – whilst it is a given than many malware threats will download extra components from the internet, the trend has accelerated recently with the surge in profit-driven malware.

Lau says that, whilst there has been a lot of public discussion lately about advanced persistent threats (APT) that also make use of software-downloading techniques to augment their facilities, there are also other malware threats doing the rounds that are not so concerned about industrial espionage and issues of national security.

And this, he adds, is where Trojan.Badlib enters the frame, as the malware does not necessarily target the types of high-value information that they may be considered of lesser interest.

“That does not take away from the fact that the Badlib family is an interesting group in its own right”, he observes in his latest security posting.

Trojan.Badlib, says Lau, acts like a malware distribution network whose purpose is to deliver a range of malware onto suitable computers to carry out specific tasks.

“When it is first installed on a computer, it will check whether the computer has an internet connection”, he says, adding that if there is one, it will to contact a control server from a list of addresses hard-coded into the malware.

In the event that the primary command-and-control domains are unavailable the trojan also has a default list of IPs that it can try and, when initially contacted, Lau and his team report that the remote servers will register the infection and respond with details of additional software.

And here's where it gets interesting, as the Symantec researchers say that one version of the downloaded software is Trojan.Badfaker, which disables the infected machine's security software and then attempts to hide the fact that the software has been disabled.

“Initially when we first saw this, we thought that this was just like a traditional rogue anti-virus that attempts to report fake threats and ask for payment to remove the threats. However, on closer inspection we found that the real purpose of this threat is to disable any active security software and then perform activities to make it appear as if the security software is still active”, he says.

“This is done to ensure its survival, as well as the other malicious components which may subsequently be downloaded onto the computer”, he adds.

Another piece of malware that it may download to the computer is Infostealer.Badface, which steals user account details from several popular social networking sites, including some Russian-based sites.

The trojan works, says Lau, by installing a local pass-through web server on the compromised computer and then modifies the hosts file to redirect a long list of social networking site addresses to the local host IP. This means, he adds, that any requests for the addresses affected will first be directed to the local web server that is installed by Badface.

And now here's the bad news, as the researcher says that, whilst we know that the current Badlib trojans mine for bitcoins and steals social networking credentials, there is no way to tell which way it will develop in the future.

“The people behind [these] malware threats often target whatever money-making schemes they can find. This means that what it downloads will often change, when its masters decide to latch onto new money making ventures. When that happens we will likely see new variants hit the virtual streets with the new functionalities”, he noted.

What’s Hot on Infosecurity Magazine?