F-Secure
Tools
Trojan:W32/Feedel
| Name : | Trojan:W32/Feedel |
| Detection Names : |
Trojan.Win32.Feedel.gen Trojan:W32/Feedel Trojan:W32/Feedel |
| Category: | Malware |
| Type: | Trojan |
| Platform: | W32 |
| Date of Discovery: | October 20, 2008 |
Summary
A trojan, or trojan horse, is a seemingly legitimate program which secretly performs other, usually malicious, functions. It is usually user-initiated and does not replicate.
Disinfection
In most reported cases, the payload stored in the final encrypted section of the Feedel trojan's code is a LinkOptimizer.
A tool for removing the LinkOptimizer is available from:
To protect themselves from deletion, LinkOptimizer variants modify their file security permissions and registry key. Additional steps are required to successfully remove them from the system.
Finding the Sample
Example Registry key:
Manual disinfection instructions:
A tool for removing the LinkOptimizer is available from:
To protect themselves from deletion, LinkOptimizer variants modify their file security permissions and registry key. Additional steps are required to successfully remove them from the system.
Finding the Sample
• Launch the Registry Editor
• Navigate to the following:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]
• Check to whic file the "Debugger" value points
Example Registry key:
• [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]
Debugger="c:\windows\system32\jardrlmn.log"
Debugger="c:\windows\system32\jardrlmn.log"
Manual disinfection instructions:
• Start cmd.exe
• Kill the explorer.exe process from Task Manager
• Kill all processes that do not have SYSTEM or NETWORK SERVICE in the User Name column, EXCEPT the cmd.exe process
• Using cmd.exe, go to the folder where the malware sample is located, for example: cd windows\system32
• Add the necessary permission to the malware sample
(Example: "cacls [filename] /G Everyone:F")
(Example: "cacls [filename] /G Everyone:F")
• Remove the read-only and other attributes of the malware sample
(Example: "attrib -r -s -h")
(Example: "attrib -r -s -h")
• Delete the malware sample using cmd.exe
(Example: "del [filename]")
(Example: "del [filename]")
• Launch the Registry Editor
• Navigate to
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]
• Add necessary permissions to the key by right-clicking on it, then selecting Permissions and selecting the Full Control checkbox
• Delete the key from the Registry
• Start explorer.exe
• Restart the system and check the Registry again. If the registry key is not present, the infection has been successfully removed
Additional Details
The Feedel trojan is downloaded onto a system by a separate downloader program, which will then proceed to execute Feedel.
We detected the downloader as Trojan-Downloader:W32/Agent.HZB.
Feedel's actual payload depends on the type of malware which is stored in the final, encrypted section of its code, and is usually a LinkOptimizer or Trojan-Password stealer.
Download
The actual download is performed by a small (usually 6000 to 7000 bytes) downloader with the mutex name "Global\__RST__". The downloader itself is usually packed with UPX.
The downloader retrieves an encrypted data file (usually named aacaa.gif, aacab.gif or similar) from a malicious link. The name of the link varies, but usually appears as:
The IP address of the malicious link is password-protected; in the sample we received, the password was "countermode.ws".
Once downloaded onto the system, the downloader completely decrypts the data file.
Encryption
All the possible strings, API names and other details of the downloaded file are completely encrypted using the encryption algorithm RC4 block cipher. Before decryption, the data file appears as:
The data file is also protected by a password. The password appears as:
In the example shown, the password is "zlf4g0wdlv".
The size of the password used for the encrypted data is usually around 10 characters. The strength of this password means that using a brute-force attack to crack it would take a long time. Simply guessing it would be almost impossible.
After decryption, the same data file appears as:
The decrypted content is detected as a Trojan:W32/Feedel variant.
Execution
On execution, the downloader will decrypt the actual malware, which is contained in the last encrypted segment of content in the downloaded file, and is protected by a separate 9-byte long password. Once decrypted, the malware will lock itself to the hardware. The type of malware stored into this final segment may vary, but have usually been Linkoptimizers or Trojan-PSW malware.
In the sample we analyzed, the trojan collects system information from the infected machine, specifically the serial number of the Windows drive and the size of the partition. Using this information, it then adds an additional layer of encryption and drops the malware in the temporary folder, using a value obtained from GetTickCount API for the filename.
Feedel uses this information as an encryption/decryption RC4 key, to ensure that the malware cannot and will not be executed on any other machine. Incidentally, this also makes analysis very difficult to perform.
Feedel uses the system temporary folder, %temp%. An example path is as follows:
The temporary file
We detected the downloader as Trojan-Downloader:W32/Agent.HZB.
Feedel's actual payload depends on the type of malware which is stored in the final, encrypted section of its code, and is usually a LinkOptimizer or Trojan-Password stealer.
Download
The actual download is performed by a small (usually 6000 to 7000 bytes) downloader with the mutex name "Global\__RST__". The downloader itself is usually packed with UPX.
The downloader retrieves an encrypted data file (usually named aacaa.gif, aacab.gif or similar) from a malicious link. The name of the link varies, but usually appears as:
• http://[...]/pix/[filename].gif
The IP address of the malicious link is password-protected; in the sample we received, the password was "countermode.ws".
Once downloaded onto the system, the downloader completely decrypts the data file.
Encryption
All the possible strings, API names and other details of the downloaded file are completely encrypted using the encryption algorithm RC4 block cipher. Before decryption, the data file appears as:
The data file is also protected by a password. The password appears as:
In the example shown, the password is "zlf4g0wdlv".
The size of the password used for the encrypted data is usually around 10 characters. The strength of this password means that using a brute-force attack to crack it would take a long time. Simply guessing it would be almost impossible.
After decryption, the same data file appears as:
The decrypted content is detected as a Trojan:W32/Feedel variant.
Execution
On execution, the downloader will decrypt the actual malware, which is contained in the last encrypted segment of content in the downloaded file, and is protected by a separate 9-byte long password. Once decrypted, the malware will lock itself to the hardware. The type of malware stored into this final segment may vary, but have usually been Linkoptimizers or Trojan-PSW malware.
In the sample we analyzed, the trojan collects system information from the infected machine, specifically the serial number of the Windows drive and the size of the partition. Using this information, it then adds an additional layer of encryption and drops the malware in the temporary folder, using a value obtained from GetTickCount API for the filename.
Feedel uses this information as an encryption/decryption RC4 key, to ensure that the malware cannot and will not be executed on any other machine. Incidentally, this also makes analysis very difficult to perform.
Feedel uses the system temporary folder, %temp%. An example path is as follows:
• C:\%temp%\10874359.exe
C:\Windows\Temp\10874359.exe
C:\Windows\Temp\10874359.exe
The temporary file