It’s not uncommon in malware to discover that more than one family is written by the same author or group, and it can be interesting to see where the overlaps occur.
Yesterday I was looking into a couple of webpages that had been brought to our attention. Each was detected as Mal/JSShell-B, and each tried to exploit a different old and long-patched vulnerability in Internet Explorer to run code that would download and execute a file from the same website. When I downloaded the file, I found we also already detected that as Mal/Heuri-E, but I was interested so I carried on investigating.
Bear with me, there are a lot of names but it all ties together in the end.
One of the things this Mal/Heuri-E file does is download a configuration file, which contains a list of other files for it to download – in this case 10 more. So off I went and downloaded them, and three among them caught my eye – one detected as Mal/Dorf-A, one as Troj/Enclag-A, and one as Troj/Agent-FZB.
The Mal/Dorf-A file is a downloader in the same broad family as all the Dorf Trojans and Dref worms and viruses that we’ve been seeing so many of in recent weeks, mostly being spammed out in an attempt to enlarge an existing bot network. The Troj/Enclag-A is a network sniffer, designed to report to a remote website about the network connections of the infected computer. Troj/Agent-FZB drops another file into memory which drops two stealthing rootkits and injects code into Internet Explorer to download yet more files.
So what? Well, Troj/Enclag-A is written by the same author as the Clagger Trojans, a family of downloaders that we used to see on a regular basis … being spammed out in massive campaigns. And that author was also responsible for other families of malware, including CashGrab, Cimuz and SpamToo Trojans, with strategies mentioned in this blog entry. And here it was being downloaded by something that was also downloading a Dorf.
As for Troj/Agent-FZB, it was mid-way through my investigation into this file that we started to see large quantities of the same file being spammed out. And today again we’ve seen an extremely similar file, Troj/Agent-FZG, spammed out in even larger quantities, and the file it drops to memory (detected proactively as Mal/Basine-C) have turned out to new faces in the Pushu family of Trojans. So more malware in more spam.
It’s possible that Mr Dorf is just borrowing code from Mr Clagger, and that Mr Pushu is mailing out his own little malicious monsters from somewhere else entirely. But it’s much more likely that the same gang is responsible for all this malware, and is increasing the range of weaponry in their arsenal while still using very similar tactics.
How did I know that Troj/Enclag-A was by the same author as the Clagger Trojans, if it had completely different functionality? And what on earth has this got to do with a blog dedicated to the Los Alamos National Laboratory? That’s going to have to wait until a later posting …