Home / malwarePDF  

Win32/Fareit


First posted on 14 February 2012.
Source: Microsoft

Aliases :

There are no other names known for Win32/Fareit.

Explanation :

Win32/Fareit is a multiple component malware family that consists of a password stealing component, PWS:Win32/Fareit, that steals sensitive information from the affected user's computer and sends it to a remote attacker, and a Distributed Denial of Service (DDoS) component, DDoS:Win32/Fareit.gen!A, that may be commanded to perform flooding attacks against other servers.


Top

Win32/Fareit is a multiple component malware family that consists of a password stealing component, PWS:Win32/Fareit, that steals sensitive information from the affected user's computer and sends it to a remote attacker, and a Distributed Denial of Service (DDoS) component, DDoS:Win32/Fareit.gen!A, that may be commanded to perform flooding attacks against other servers.



Installation

Win32/Fareit may be installed by other malware.

PWS:Win32/Fareit is usually installed to a particular location by other malware, then run from this location.

For example, Backdoor:Win32/Cycbot installs it to %ProgramFiles%/lp/<four hexadecimal digits>/<number>.tmp (such as %ProgramFiles%\lp\008a\7.tmp), while Rogue:Win32/FakeScanti installs it to %AppData%\dwme.exe and %temp%\dwme.exe, or %AppData%\svhostu.exe and %temp%\svhostu.exe.

DDoS:Win32/Fareit.gen!A terminates any previous versions of itself that may be running, and copies itself to %AppData%\pny\pnd.exe.

It creates the following registry entry to ensure that this copy executes at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Microsoft PnD"
With data: %AppData%\pny\pnd.exe

It then runs the new copy.

Both components create a registry entry such as the following:

In subkey: HKCU\Software\WinRAR
Sets value: "HWID"
With data: <unique identifier> (for example, {D9CD7060-83A2-46D0-8CEA-5EDF6043EEC7})

Some variants of PWS:Win32/Fareit delete themselves once they have finished running.



Payload

Steals sensitive information

PWS:Win32/Fareit attempts to retrieve stored website passwords from various browsers including Chrome, Firefox, Internet Explorer, and Opera.

It also attempts to steal stored account information, such as server names, port numbers, login IDs and passwords from the following FTP clients or cloud storage programs if these are installed:

  • 32bit FTP
  • 3D FTP
  • ALFTP
  • BitKinex
  • Blaze FTP
  • BulletProof FTP
  • ClassicFTP
  • Coffee Cup FTP
  • Core FTP
  • CuteFTP
  • Direct FTP
  • Easy FTP
  • ExpanDrive
  • FFFTP
  • FTP++
  • FTP Client
  • FTP Control
  • FTP Explorer
  • FTP Navigator
  • FTP Now
  • FTP Rush
  • FTPCommander
  • FTP Voyager
  • Far FTP
  • FileZilla
  • FlashFxp
  • FlingFTP
  • Free FTP
  • Frigate FTP
  • LeapFTP
  • Leech FTP
  • NetDrvie
  • Opus
  • Robo FTP
  • SecureFX
  • SmartFTP
  • Total Commander
  • TurboFTP
  • UltraFXP
  • WS_FTP
  • Web Site Publisher
  • WebDrive
  • WinSCP
  • Windows Commander
  • Wise-FTP by AceBit


It then posts all of this information to a remote server. Examples of servers contacted by the malware include:

  • 178<removed>7.165.42
  • 178<removed>8.243.211
  • 178<removed>38.228.86
  • 46.<removed>8.225.50
  • 46.<removed>.107.13
  • 95.<removed>3.35.118
  • bin<removed>obing.com
  • dom<removed>wsweetnew12312d.ru
  • fni<removed>todn.cz.cc
  • fok<removed>al.cz.cc
  • fuc<removed>ngav.com
  • fuc<removed>ngavast.com
  • goi<removed>opka.com
  • kla<removed>r.co.cc
  • onl<removed>etumb.com
  • our<removed>tatransfers.com
  • piw<removed>yzocyluz.com
  • rep<removed>sys-online.com
  • ret<removed>domain.com
  • saf<removed>di.com
  • sce<removed>fub.cz.cc
  • sum<removed>evebat.com
  • tel<removed>nero.com
  • tra<removed>ersdataforme.com
  • win<removed>ing.com


Participates in DDoS attacks

DDoS:Win32/Fareit.gen!A contacts a command and control server which may request that it participate in DDoS attacks against other servers of its choosing. It then floods the attacked server with multiple HTTP GET or POST requests. It changes the header of the various requests so that each appears to come from a unique referrer (the webpage that the request appears to be linked from), and from multiple web browser versions and languages. This makes these requests more difficult for the attacked server to filter out.

Examples of command and control servers used at the time of publication include the following:

  • 176. <removed>.112.90
  • 176. <removed>.112.95
  • 178. <removed>.166.154
  • 2220 <removed>966122.ru
  • drea <removed>milos4.ru


For more information, please see the description for DDoS:Win32/Fareit.gen!A elsewhere in the encyclopedia.

Downloads and executes arbitrary files

Some samples of PWS:Win32/Fareit have been observed downloading an additional file, saving it to the %TEMP% directory, and then executing it. At the time of publication, these files were variants of PWS:Win32/Zbot.

If a new version of DDoS:Win32/Fareit.gen!A is available, its command and control server may provide a copy of the updated file. This file is then saved to the %TEMP% directory then executed.



Analysis by David Wood

Last update 14 February 2012

 

TOP

Malware :