Adware Spread Alongside Mevade Variants, Hits Japan and US

In a previous post, we discussed how the rise in the number of Tor users that was directly attributed to the Mevade malware. In this post, we will look into the details of the Mevade malware and how it first arrived on user systems.

The first batch of Mevade samples (detected as BKDR_MEVADE.A) we gathered was downloaded by a malicious file named FlashPlayerUpdateService.exe (detected as TROJ_DLOADE.FBV). (The legitimate Flash updater uses the same file name.) The two files can be differentiated by examining the file properties. The legitimate version is signed, while the malicious version is not. In addition, the version numbers are different.

Figure 1. BKDR_MEVADE.A file properties

Figures 2 and 3. Signed legitimate file

The backdoor communicates to its C&C server via HTTP to receive commands, which include updating a copy of itself and connecting to a specific location using SSH to secure its communication.

The URLs it uses to access its C&C servers has the following pattern:

  • http://{malicious domain}/updater/{32 random hexadecimal characters}/{1 digit number}

The IP addresses that host these C&C servers are located in Russia.

Looking into the feedback data provided by the Smart Protection Network, TROJ_DLOADE.FBV was found in multiple countries, with Japan and the United States being the most affected.

Table 1. Countries affected by TROJ_DLOADE.FBV

BKDR_MEVADE.A shows a different distribution, which highlights that TROJ_DLAODE.FBV is not just being used to distribute Mevade:

Table 2. Countries affected by BKDR_MEVADE.A

In addition to the Mevade malware itself, we saw that ADW_BPROTECT had also been downloaded onto affected systems. This is expected for Mevade, as we noted earlier that it is linked to cybercriminals responsible for the distribution of adware. This downloading of adware is consistent with our findings that the Mevade botnet is possibly monetized via installing adware and toolbars. Its distribution is more similar to the original downloader malware:

Table 3. Countries affected by ADW_BPROTECT

Newer versions of Mevade (BKDR_MEVADE.B and BKDR_MEVADE.C) no longer use SSH; instead they use the Tor network to hide their network traffic. This can help cover their activity online, but otherwise the behavior and propagation is identical. These newer versions of Mevade are most

Table 4. Countries affected by BKDR_MEVADE.C

How the malware arrives into the system, however, is still under investigation. We will update the blog should we find more information about the infection vector. Still, users must observe best computing practice and to avoid visiting and downloading files from unverified websites or links from email, social media etc. Always update the system with the latest software security patch. Trend Micro detects and deletes the malware cited in this blog entry.

With analysis from Eduardo Altares, Alvin Bacani, and Marvin Cruz.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Adware Spread Alongside Mevade Variants, Hits Japan and US

Read more: Adware Spread Alongside Mevade Variants, Hits Japan and US

Story added 6. September 2013, content source with full text you can find at link above.