Trojan Utilizes Modified Security Solution Code

Friday, March 04, 2011

Contributed By:
Headlines

Security researchers at Symantec have discovered malware that employs code from a security solution to carry out most of its functionality.

The cleverly designed Trojan modifies aspects of the KingSoft WebShield browser protection software to do its bidding, making the security software a kind of do-it-yourself malware kit.

"The interesting part of this package is in its configuration, which allows an opportunity for malicious intent. Kingsoft WebShield has the ability to lock the home page to a specific domain as well as to redirect URLs based entirely on plain text configuration files. This means that a person with malicious intent can repackage it using malicious configuration files and use this as a home-made Trojan package," remarked security researcher Éamonn Young.

The task is accomplished with the addition of two configuration files that modify the legitimate security package and its components to create a Trojan.

After the software package is installed on the target device, one of the files switches the the home page to a URL that serves as a link farm and locks it down so the user can not change it.

The other file controls redirects when the user attempts to visit popular URLs, directing the browser to the link farm instead.

The malware is designed to run on Internet Explorer. Upon installation it deletes any other quick launch icons, and will even install an IE icon if one is not present.

The Trojan is difficult to detect, as it allows the Kingsoft security software to operate normally, and other than delivering a bunch of annoying advertisement redirects, there is little threat to the user.

So far, the Trojan looks to be targeting Chinese users only. The Kingsoft software package, the domains targeted for redirect and the link farms are all Chinese based.

It is possible that the technique will be adapted to serve up malicious URLs, and it may be employed as a delivery mechanism for more dangerous malware.

One has to question the intentions behind the design of the Kingsoft software which allows for such simple modification.

Source: http://www.net-security.org/malware_news.php?id=1654

Share This! |

Views:	2534
Categories:	Viruses & Malware
Tags:	Trojans malware Symantec Headlines Configuration Malicious Code Security Solution Link Farm

Post Rating I Like this!

Comments:

You Must Register or Login to Comment

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked

Latest Member Comments

"The author of this article is answering the wrong question. It appears (he) is writing this article in response to all the attention gi..."

NSA Surveillance Is Legal And Not Targeting ... John Smith on 06-13-2013

"Agreed, good post. There is the ISO standard take on processes and implementing lasting changes then there is the practical operational..."

Vulnerability Management and Root Cause Anal... Ian Tibble on 06-12-2013

"Good post. One of the key elements in Vulnerability Management is having the contact details of the person knowledgeable on why a certa..."

Vulnerability Management and Root Cause Anal... Koen Van Impe on 06-11-2013

"Near-field communication (NFC) technology permits a consumer to wave their mobile phone at a point-of-sale terminal to buy via the use ..."

Google Wallet and PCI Compliance... Casey Erini on 06-07-2013