Trojan Bundles Legit Social-Network Toolbar with Backdoor

Here’s another twist in regionally targeted attacks: A new Trojan (pretending to be a toolbar installer) is spreading that bundles the legitimate toolbar for the German social network “StudiVZ” with a variant of Backdoor-CEP. Among other malicious activities, the backdoor is capable of recording a user’s screen, taking screenshots, and logging keyboard strokes. At first glance, the deliberately modified installer looks perfectly harmless, especially because it refuses to do anything malicious if it detects certain security products or if it thinks it’s being observed through a sandbox or a debugger.

Behind the curtain, however, a lot of non-kosher things happen. The installer injects parts of the bundled malicious code into running processes or starts a legitimate process in suspended state, and then unmaps its content and remaps different, malicious content to the process before resuming it again. The malicious code is hard to detect because it is decrypted and injected into memory and never written to disk.

After the toolbar’s installer has finished, it automatically runs an instance of Internet Explorer to open http://studivz.net, which is the social network’s login site. With the newly installed toolbar clearly visible now through additional controls and logos on top, the user’s next step will most probably be to log into the social networking site.

At this point the backdoor has already infected a number of running processes in memory and installed a callback to capture and save any keystrokes.

The author of this variant of Backdoor-CEP seems to be particularly interested in the credentials of StudiVZ; the Trojan also makes periodic connection attempts to a host located in Germany. Fortunately for McAfee customers, the malicious installer is blocked by Artemis and is blocked at the (former Secure Computing) Web Gateway.