US, Taiwan Most Affected by Mevade Malware

In a previous post, we discussed how the rise in the number of Tor users that was directly attributed to the Mevade malware. In this post, we will look into the details of the Mevade malware and how it first arrived on user systems.

The first batch of Mevade samples (detected as BKDR_MEVADE.A) we gathered was downloaded by a malicious file named FlashPlayerUpdateService.exe (detected as TROJ_DLOADE.FBV). (The legitimate Flash updater uses the same file name.) The two files can be differentiated by examining the file properties. The legitimate version is signed, while the malicious version is not, as seen below:

Figure 1. BKDR_MEVADE.A file properties

Figure 2. Signed legitimate file

The backdoor communicates to its C&C server via HTTP to receive commands, which include updating a copy of itself and connecting to a specific location using SSH to secure its communication.

The URLs it uses to access its C&C servers has the following pattern:

  • http://{malicious domain}/updater/{32 random hexadecimal characters}/{1 digit number}

The IP addresses that host these C&C servers are located in Russia.

Looking into the feedback data provided by the Smart Protection Network, we found that almost all – 96% – of BKDR_MEVADE.A infections were found in the United States.


Table 1. Smart Protection Network feedback for BKDR_MEVADE.A (past 30 days)

In addition to the Mevade malware itself, we saw that ADW_BPROTECT had also been downloaded onto affected systems. This is expected for Mevade, as we noted earlier that it is linked to cybercriminals responsible for the distribution of adware. This downloading of adware is consistent with our findings that the Mevade botnet is possibly monetized via installing adware and toolbars.

Newer versions of Mevade no longer use SSH; instead they use the Tor network to hide their network traffic. This can help cover their activity online, but otherwise the behavior and propagation is identical.

Smart Protection Network feedback that users from the United States, Japan, Taiwan, India, and Brazil were the most affected by this second batch of variants:


Table 2. Smart Protection Network feedback for BKDR_MEVADE.B (past 30 days)


Table 3. Smart Protection Network feedback for BKDR_MEVADE.C (past 30 days)

How the malware arrives into the system, however, is still under investigation. We will update the blog should we find more information about the infection vector. Still, users must observe best computing practice and to avoid visiting and downloading files from unverified websites or links from email, social media etc. Always update the system with the latest software security patch. Trend Micro detects and deletes the malware cited in this blog entry.


With analysis from Eduardo Altares, Alvin Bacani, and Marvin Cruz.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

US, Taiwan Most Affected by Mevade Malware

Read more: US, Taiwan Most Affected by Mevade Malware

Story added 6. September 2013, content source with full text you can find at link above.