NEWS FROM THE LAB - Tuesday, June 28, 2011

Krebs Trojan Pushes Adult Website Posted by Sean @ 15:19 GMT

Complete malware analysis is often limited by real-world circumstances.

Many of the trojans that we analyze will attempt to connect to a remote server for further instructions. At this point, we know that the software is not legitimate and should be blocked from installation on our customer's computers. We don't really need to examine it any further (and often times, the server is offline). But just what would that trojan do if it only had access to its remote master?

We use automation to test malware in an isolated network. We don't generally test malware with a real Internet connection because we want to limit possible exposure to the rest of the world's netizens. But every now and then something catches our interest and we'll perform a manual test.

Such as the trojan we blogged about last Thursday which creates a mutex named after reporter Brian Krebs.

When we first encountered the trojan, its server, fatgirlsloveme.com, was offline, and then, it went live two days later.

So we configured a Windows 7 test computer, infected it with Trojan-Downloader:W32/Agent.DTBM, connected it to the Internet, and opened Internet Explorer.

One Bing search and then — a pop-up window opened promoting the following webiste:


Russian Sex Brides?

Adult website pop-ups?

We had been hoping for something a bit more interesting. Ah well…

The website doesn't appear to use affiliates as part of its marketing efforts. It's unknown what type of connection the trojan author has with the website's owner, Thunder Road, Inc.

www.russiansexbrides.com Whois

The trojan is still not prevalent, but our customer statistics show that it currently remains active in the wild.