June 18, 2014
Sometimes users disregard the need to protect their computers with anti-virus software, and as a result their systems get infected. It can be said that, in this respect, users whose computers are infected with the multi-component Trojan.Tofsee are a little luckier than other people— apart from the spamming it does, the Trojan can also cure a system of other threats, and, surprisingly, it is quite good at it.
Trojan.Tofsee is spread in a variety of ways: via Skype, social networking sites, and removable drives. In the first case, criminals use the most common social engineering techniques and try to convince users that shocking videos and photos of them are available on the Internet. Although this approach has been used by virus distributors for many years, people still fall into this simple trap.
A special module, which is downloaded by the malware from a criminal-owned server, is responsible for distributing Trojan.Tofsee via Twitter, Facebook and VKontakte, as well as through Skype. Messages sent by the module are generated using the template found in the configuration file. Messages sent to users of social networking sites are created in the users’ expected language.
The message text contains a link to the page where the user can supposedly access the reputation-damaging videos and photos. However, to view this content, the user is prompted to download the browser plugin which in fact is Trojan.Tofsee.
To send messages via Twitter, Facebook and VKontakte, the malicious module uses data found in cookies stored by Microsoft Internet Explorer, Mozilla Firefox, Opera, Safari and Google Chrome. To send messages through Skype, the module presses buttons in the application's window. The module can also circumvent CAPTCHA protection by sending images to a recognition server which returns the text to the Trojan for entry into a web form.
Another module facilitates the Trojan’s distribution via removable data storage devices. Here virus writers also decided against reinventing the wheel and took a common approach: the module saves the Trojan.Tofsee executable in the Recycle Bin and creates the file autorun.inf in the storage media’s root directory. The control server issues the command to infect a system.
Another module allows the Trojan.Tofsee kernel to be updated from the attackers' server. All the parameters required to conduct this procedure are stored in a special configuration file. If one of the parameters is missing, instead of updating, the Trojan downloads this rather curious image from the server:
However, the module designed to search and delete all detected Trojans and other malware from an infected computer is much more unusual. This module can search disks for files on a given list, as well as entries in the Windows registry; enumerate running processes; and delete detected malicious files. Thus, even if you do not have an anti-virus program, Trojan.Tofsee will “take care” of your system’s security.
The main purpose of Trojan.Tofsee is to send spam. The text of spam emails is generated using special templates that the Trojan downloads from a malicious server. Networking and SMTP routines are implemented in the main Trojan.Tofsee module. After the Trojan successfully connects to the server, the server sends it decryption keys. The Trojan then sends data to the command server and receives commands for later execution. It is worth mentioning that the Trojan uses its own script language to generate spam emails, which is quite rare in the world of malware.
Currently, Tofsee.Trojan can download from remote servers 17 plugins implemented as dynamic-link libraries. In addition to the modules described above, Trojan.Tofsee also uses the following plugins:
- A plugin for verifying remote host addresses transmitted to the plugin as a configuration data block.
- A plugin for executing DDoS-attacks. It can mount two types of attacks: http flood and syn flood;
- An encrypted Trojan.PWS.Pony.5 plugin;
- A plugin that logs data used by Internet Explorer. This plugin which has its own configuration file extracts from its body the library IEStub.dll and injects it into the browser process. It has a configuration file of its own;
- A plugin that processes graphics files that are subsequently used by other plugins;
- A module that retrieves email addresses from the Internet Account Manager and PStoreCreateInstance, generates sender addresses according to the template % NAMEPC% @mail.ru, and tries to send messages to the addresses on the generated list;
- A plugin that downloads Trojan.BtcMine.148 which is designed to mine bitcoins. It installs Trojan.BtcMine.148 in a system and provides it with all the necessary operational parameters;
- A plugin that installs Trojan.Siggen.18257 in the system32\drivers\ folder as a file with a random name and the extension .sys, and then runs it;
- An HTTP and socks5 proxy module;
- A plugin that generates and sends emails; It uses its own script language to generate messages and sends them over HTTPS; SSL encryption is implemented through Microsoft Unified Security Protocol Provider;
- The low-level traffic interception and analysis library uses a special driver to perform its tasks. It searches the data stream for information transmitted via FTP and SMTP and can modify the address and body of a message;
- The plugin that generates and processes configuration templates;
- The script language plugin involved in creating spam messages.
Trojan.Tofsee‘s signature, as well as that of all its modules, have been added to the Dr.Web virus databases, so this Trojan poses no threat to computers protected by our anti-virus products. Doctor Web's security researchers urge readers not to expect to be lucky enough to catch a virus that will protect their computers from all known threats, but to use more traditional and tried-and-true methods—install current anti-virus programs and keep virus definitions up to date.
Tell us what you think
To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.
Other comments