When Julius Caesar arrogantly proclaimed "Veni. Vidi. Vici." (I came. I saw. I conquered.) to describe his swift and total victory in the Battle of Zela, he must have been sitting atop his horse and looking over his spoils, contemplating the lethal brilliance of his planning. Sitting atop its Trojan spyware, one of this year's most prevalent file infectors, PE_LOOKED, can lay claim to that same arrogance. Its focused infection routine and stealth tactics enable it to steal profitable information from thousands of online game accounts across Asia Pacific (APAC); making it a perfect poster boy for one of today's hottest malware trends: region-specific targeted attacks.

Veni

Most of PE_LOOKED's routines are nothing new. Upon execution, it drops a copy of itself and sets registry entries for its automatic execution at every system startup. It then proceeds to terminate certain processes related to antivirus applications. Notably, it stops processes and service related to Kingsoft, a China-based antivirus company. Add the fact that Kingsoft also develops and distributes online games, this company appears to incite special ire from PE_LOOKED's authors to the point where its termination is already one of PE_LOOKED's infection signatures. Note that the said termination routine is also a telling clue on the infector's region-specificity.

Europe and the US did not escape PE_LOOKED's claws but their infection counts are paltry compared to APAC's numbers. Starting January 2006, this malware steadily infected hundreds of system in the APAC region until the count ballooned to thousands last September and October. Responsible for this high infection count is the network propagation routine of the more recent LOOKED variants.

A LOOKED mother infector creates three threads: one for infection, one DLL component injection and one for network propagation. The thread for network propagation uses administrator or guest accounts to connect to default ADMIN$ and IPC$ shares where copies of LOOKED can be dropped. Whereas propagation via network shares is very effective in targeting numerous systems at once, it is not often used by file infectors. Thus, aside from its file infection cycle, its ability to spread quickly firmly establishes it as more than just a virus out to randomly annoy users. Like the fast-spreading worms that propagate to lay the tracks for bot networks, LOOKED variants propagate via network shares to lay the tracks for the information-stealing malware it is going to download.

PE_LOOKED drops a DLL component, which carries the main purpose of this infector's machinations. This DLL downloads Trojan spyware (TSPY) that hook the mouse and keyboard of infected computers to steal login data related to popular online games. The odd variant or two cough up other malware like backdoors and Trojans but these other types also, in another step or two, download online game-targeting TSPYs.

Vidi

Contrary to its name, PE_LOOKED strives not to be looked at. Like any good strategist, it covers itself as best as it can to mask its attacks and to prevent its detection. To begin with, its dropped copy uses the name RUNDL123.EXE, a play on the legitimate file RUNDLL32.EXE, and its infected files use the same icons as their host files. This spoofing of file names and icons keeps users from getting wary at first glance, thus preventing its easy detection.

Another stealth tactic up its sleeve is LOOKED's picky infection routine. PE_LOOKED keeps a hardcoded list of files it targets and/or avoids to infect. Files included in the list of targeted files are common EXE, DOC, and XLS files. The "avoid" list, on the other hand, includes system files and folders. Having an "avoid" list helps PE_LOOKED go under the radar since system files are the ones often checked first by antivirus applications. Avoiding them also ensures that system services and processes are uninterrupted so as to avoid suspicion.

More recently, PE_LOOKED takes its stealth techniques a notch higher as new samples arrive compressed in an unknown packer that changes for every variant. The said packer is proving to be a major headache for antivirus companies because it helps PE_LOOKED slip the grasp of generic patterns that can automatically detect and remove a malware family's variants.

All of the abovementioned techniques combine to make PE_LOOKED infection outbreaks harder to detect and contain. In effect, they also contribute to the information-stealing success of its downloaded TSPYs.

Vici

PE_LOOKED's propagation and stealth routines all boils down to the successful installation of several downloaded Trojan spyware on as many computers as possible. Spyware from the TSPY_LINEAGE, TSPY_WOW, and TSPY_GAMANIA are the most commonly downloaded information thieves of PE_LOOKED. Why APAC is the targeted region is easy to answer. APAC, specially China, Taiwan, and Korea, is home to some of the world's largest MMOG (massively multi-player online game) communities. Taiwan, for example, is the headquarters of Gamania, the dot-com company that hosts the popular MMOG Lineage and an army of other online games. The sheer presumed size of China's MMOG market alone makes it a country of choice for TSPY authors hungry for a bountiful information harvest.

Although statistics of the actual number of subscriptions per country per online game is yet to be available, this site contains approximations that show the games World of Warcraft (WOW) and Lineage II as kings in terms of popularity or market share. With subscriptions running to the millions, these MMOGs have long spawned numerous markets dealing with the buying and selling of virtual items, money, and whole accounts. Thus, for Trojan spyware authors who can harvest the most MMOG account user names and passwords, the myriad of profit possibilities is nearly endless.

Whereas, one TSPY can already steal a lot of information, PE_LOOKED raises the bar and brings information theft to new levels as it installs numerous TSPYs in numerous systems across numerous networks in one go. Especially targeting APAC concentrates the malware author/s efforts into the one region where the harvest of MMOG account information can be the most fruitful.

As of this writing, there is still not one generic pattern that can detect most PE_LOOKED variants with significant success. Solutions available now are mostly band-aids that put out little fires but do nothing to prevent future breakouts. Has PE_LOOKED really earned the right to proclaim "Vici!"? Not just yet.

Threat experts are eyeing the blocking of URLs, where the TSPYs are downloaded, as a way to stop PE_LOOKED from fulfilling its purpose. Blocking access to these malicious sites can help users gain an ounce of control over the PE_LOOKED tide. The fight is still on. Trend Micro, for one, is working hard towards a permanent solution. No "Vici" yet for PE_LOOKED.

Description created: Dec 29, 2006