Home / malware Trojan:W32/Feedel
First posted on 24 November 2008.
Source: SecurityHomeAliases :
There are no other names known for Trojan:W32/Feedel.
Explanation :
A trojan, or trojan horse, is a seemingly legitimate program which secretly performs other, usually malicious, functions. It is usually user-initiated and does not replicate.
right]The Feedel trojan is downloaded onto a system by a separate downloader program, which will then proceed to execute Feedel.
We detected the downloader as Trojan-Downloader:W32/Agent.HZB.
Feedel's actual payload depends on the type of malware which is stored in the final, encrypted section of its code, and is usually a LinkOptimizer or Trojan-Password stealer.
Download
The actual download is performed by a small (usually 6000 to 7000 bytes) downloader with the mutex name "Global\__RST__". The downloader itself is usually packed with UPX.
The downloader retrieves an encrypted data file (usually named aacaa.gif, aacab.gif or similar) from a malicious link. The name of the link varies, but usually appears as:
- http://[...]/pix/[filename].gif
The IP address of the malicious link is password-protected; in the sample we received, the password was "countermode.ws".
Once downloaded onto the system, the downloader completely decrypts the data file.
Encryption
All the possible strings, API names and other details of the downloaded file are completely encrypted using the encryption algorithm RC4 block cipher. Before decryption, the data file appears as:
The data file is also protected by a password. The password appears as:
In the example shown, the password is "zlf4g0wdlv".
The size of the password used for the encrypted data is usually around 10 characters. The strength of this password means that using a brute-force attack to crack it would take a long time. Simply guessing it would be almost impossible.
After decryption, the same data file appears as:
The decrypted content is detected as a Trojan:W32/Feedel variant.
Execution
On execution, the downloader will decrypt the actual malware, which is contained in the last encrypted segment of content in the downloaded file, and is protected by a separate 9-byte long password. Once decrypted, the malware will lock itself to the hardware. The type of malware stored into this final segment may vary, but have usually been Linkoptimizers or Trojan-PSW malware.
In the sample we analyzed, the trojan collects system information from the infected machine, specifically the serial number of the Windows drive and the size of the partition. Using this information, it then adds an additional layer of encryption and drops the malware in the temporary folder, using a value obtained from GetTickCount API for the filename.
Feedel uses this information as an encryption/decryption RC4 key, to ensure that the malware cannot and will not be executed on any other machine. Incidentally, this also makes analysis very difficult to perform.
Feedel uses the system temporary folder, %temp%. An example path is as follows:
- C:\%temp%10874359.exe
C:WindowsTemp10874359.exe
The temporary file is then executed, after which both the downloader and the file that created the above mentioned file will be deleted.Last update 24 November 2008
