Home / malwarePDF  

Trojan:Win32/Alureon.DP


First posted on 07 April 2010.
Source: SecurityHome

Aliases :

Trojan:Win32/Alureon.DP is also known as BackDoor.Triplex (Dr.Web), Win32/Olmarik.DL (ESET), DNSChanger!dc (McAfee), Bck/TDSS.CQ (Panda), Troj/Dropr-CR (Sophos).

Explanation :

Trojan:Win32/Alureon.DP is a member of Win32/Alureon - a multi-component family of trojans involved in a broad range of subversive activities online that generate revenue from various sources for its controllers. Mostly, Win32/Alureon is associated with moderating an affected user's online activities to the attacker's benefit.
Top

Trojan:Win32/Alureon.DP is a member of Win32/Alureon - a multi-component family of trojans involved in a broad range of subversive activities online that generate revenue from various sources for its controllers. Mostly, Win32/Alureon is associated with moderating an affected user's online activities to the attacker's benefit. As such, the various components of this family have been used for:

  • modifying the affected user's search results (search hijacking)
  • redirecting the affected user's browsing to sites of the attacker's choice (browser hijacking)
  • hanging DNS settings to redirect users to sites of the attacker's choice without the affected user's knowledge
  • downloading and executing arbitrary files, including additional components and other malware
  • serving illegitimate advertising
  • installing rogue security software
  • clicking banners and pop-up advertisements (banner clicking)

  • Win32/Alureon also uses advanced stealth techniques to hinder the detection and removal of its various components. As some variants of this trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. Therefore it may be necessary to reconfigure DNS settings after the trojan is removed from the computer. Trojan:Win32/Alureon.DP appears to be used for increasing traffic to a particular page and is most likely installed by other Alureon components. InstallationThe DLL utilized by Trojan:Win32/Alureon.DP expects to be hosted in either "svchost.exe" or an application, usually a web browser, that contains in the filename one of the following words:
  • explore
  • firefox
  • mozilla
  • opera
  • chrome
  • safari
  • flock
  • netscape
  • avant
  • browser
  • If it is not, it simply exits. Payload Contacts remote hostThe malware tries to connect to the following domains to which transmits computer identification information and from where downloads configuration information:
  • triplexfeed.com
  • tripledfund.com
  • Hooks Windows API calls
    The malware hooks the send, WSASend, recv and WSARecv API functions in order to intercept and modify outgoing and incoming TCP traffic. Additional InformationReports from the wild show that the file name used by Trojan:Win32/Alureon.DP is normally "4DW4R3<random letters>.sys".

    Analysis by Marian Radu

    Last update 07 April 2010

     

    TOP