Security researchers at Symantec have discovered malware that employs code from a security solution to carry out most of its functionality.
The cleverly designed Trojan modifies aspects of the KingSoft WebShield browser protection software to do its bidding, making the security software a kind of do-it-yourself malware kit.
"The interesting part of this package is in its configuration, which allows an opportunity for malicious intent. Kingsoft WebShield has the ability to lock the home page to a specific domain as well as to redirect URLs based entirely on plain text configuration files. This means that a person with malicious intent can repackage it using malicious configuration files and use this as a home-made Trojan package," remarked security researcher Éamonn Young.
The task is accomplished with the addition of two configuration files that modify the legitimate security package and its components to create a Trojan.
After the software package is installed on the target device, one of the files switches the the home page to a URL that serves as a link farm and locks it down so the user can not change it.
The other file controls redirects when the user attempts to visit popular URLs, directing the browser to the link farm instead.
The malware is designed to run on Internet Explorer. Upon installation it deletes any other quick launch icons, and will even install an IE icon if one is not present.
The Trojan is difficult to detect, as it allows the Kingsoft security software to operate normally, and other than delivering a bunch of annoying advertisement redirects, there is little threat to the user.
So far, the Trojan looks to be targeting Chinese users only. The Kingsoft software package, the domains targeted for redirect and the link farms are all Chinese based.
It is possible that the technique will be adapted to serve up malicious URLs, and it may be employed as a delivery mechanism for more dangerous malware.
One has to question the intentions behind the design of the Kingsoft software which allows for such simple modification.