Win32/Redyms and TDL4

Posted: February 18, 2013 in Articles
Tags: , , , , , ,

ESET LogoWhat do Win32/Redyms and TDL4 have in common?

The substitution of the results of search queries in search engines.

Since the beginning of 2013 ESET’s analytics started tracking interesting family of Trojans – Win32/Redyms. This threat is notable that uses the technique of substituting the results of search queries search engines. We have established that it is the most widely received in the U.S. and Canada. In these countries cybercrime market offers the highest price for the redirection (clicks) user search engines to malicious or advertising resources.

Leading Analyst ESET Alexander Matrosov performed deep analysis Win32/Redyms. The result revealed the similarity of this malicious code to another program – Win32/Agent.TJO, which is also known as part of the family Olmarik/TDL4. Win32/Agent.TJO is a trojan user mode, based on the mechanism of clicker a component of TDL4. And TDL4, and Win32/Agent.TJO, and Win32/Redyms use similar mechanisms to control network traffic, which is the browser. For traffic bot captures several features of the library Microsoft Windows Socket Provider (mswsock.dll):

All three families of these malicious programs use the same methods of hooking functions, and encrypted with RC4 encryption algorithm interaction with control C & C server.

Another great feature Win32/Redyms was found in domain name generation algorithm (Domain Generation Algorithm, DGA), which selects C & C servers to communicate. This algorithm is based on a simple alphabetic permutations and changes, according to the original constant. In the pictures below, the reconstruction of this algorithm on python, and the usual decompiled code.

domain names

The list of C&C domain names with malicious code

The first domain names from the list provided in the figure above, were reported in mid-December 2012 – early January 2013. This indirectly indicates that Win32/Redyms spread at the end of December.

Win32/Redyms implements its malicious code into all running processes. If the embedded code detects that the application runs in the browser, it creates a special in the process stream, and captures the functions of the library mswsock.dll.

This code intercepts network activity in the process of running the browser and tries to find the search engines from the selection below.

search engines

List of search engines that monitors malicious code

If it detects the activity of the search engine, all search requests are forwarded to the command C & C server, and the URL-link themselves issued when the search query, replaced in accordance with those that were obtained from C & C.

Check code URL-links based on the interception function WSPSend (), which uses the AVL-tree like structure for storing data.

To work with the structures of AVL-trees malicious code uses the structure of RTL_GENERIC_TABLE kernel32.dll. TDL4 uses the same idea in a user-mode component cmd.dll.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s