As the threat landscape undergoes a major shift, the threats that define it are either influenced and change in accordance with the shift, or, in some cases where the threats are significant enough, change and influence the shift.

One threat group has been noted to have changed considerably: file infectors. These malware, some of the earliest forms of threats, gave way to worms at the onset of the outbreak era, because, although they can be more destructive because they modify files, they don't have the spreading capability that worms have. In the outbreak era, the game was in the number of affected computers and reach of infection, more than destructiveness. Indeed, worms reigned supreme in that era. But in this age of targeted attacks, worms have given way to the rise of the true big shots of the day: Trojan downloaders, spammers, and information stealers.

File infectors, however, are not giving way now. If anything, it can be said that the year 2006 saw the revival of file infectors. As much as 25% of all cases processed by Trend Micro in its real time case processing are related to file infectors. That is the second largest association of cases to a malware type, next only to Trojans' 43%.

File infectors survive in the changing environment because they adapt. PE_FUJACKS, a young family of file infectors discovered in the last quarter of 2006, exemplifies this. It has taken on the traits that characterize the current threat landscape: multi-component, sequential, focused, Web-based, and profit-driven.

By taking on these characteristics, PE_FUJACKS also further blurs the distinction between threat types. Because more than a threat type, PE_FUJACKS represents an elaborate attack, carefully launched to achieve a sinister goal.

Multi-component and Sequential: Three propagation routines

As a file infector, PE_FUJACKS is a basic threat. It searches for .EXE, .SCR, .PIF, and .COM files in all local and mapped drives, to which it appends its code. It creates an infection marker to avoid re-infection. Since this malware has the capability to propagate through mapped drives, a network that is not fully protected from these attacks may cause file corruption or files being overwritten.

Notably, it uses the same infection marker across all variants, such that a new variant does not re-infect machines where an earlier FUJACKS malware already resides. This could prevent early detection up to a certain extent, because if an initial infection evades the attention of a user, FUJACKS does not risk detection by performing additional suspicious activities. This also suggests the family's concerted effort. Each variant contributes to the whole family's common goal.

PE_FUJACKS also infects .ASP, .ASPX, .HTM, .HTML., .JSP, and .PHP files by appending its code using an IFrame. This routine does not only create a second platoon to carry on with a download routine, just in case a clever user extinguishes the front lines provided by the infected executables, but if the affected system is a Web server or if a user uploads infected files on the Internet, it provides another way by which this malware downloads other threats into unsuspecting users' computers.



When a FUJACKS-infected HTML file is viewed, the IFrame accesses a certain Web site, which redirects to another site that contains a malicious VBScript. This VBScript connects to yet another site to download a malicious file. The downloaded file is in fact another variant of PE_FUJACKS, revealing an unmistakable sequential attack. When a user accesses a Web site with an HTML file infected by one FUJACKS variant, the user's machine is infected by a completely different variant.

Suddenly, PE_FUJACKS is not so basic anymore.

To further consummate its goals, FUJACKS needs to propagate not only within a computer, as file infection achieves, but beyond it, into the network. It thus drops copies of itself into network shares using an attractive file name: GameSetup.exe. A user in the network who falls for this social engineering scheme is bound to be affected next, the new system becoming a springboard for further propagation.

It also searches for removable drives and drops copies of itself. It does not need attractive file names for this particular routine -- it also drops an AUTORUN.INF file to automatically execute the copy when the infected removable drive (a USB flash drive, for instance) is inserted.

Additionally, PE_FUJACKS propagates via instant messaging, further fueling the resurrection of IM as a popular vector for threats. It sends instant messages that contain a link pointing to a Web site that, in turn, contains scripts or exploit codes that automatically download a copy of PE_FUJACKS on the system, without prompting the user.



As entrenchment, PE_FUJACKS deletes ghost image (.GHO) files. With a ghost copy, a user can easily restore the system's settings without reformatting. Clearly, FUJACKS does not want the affected user to mess up with its own system modifications. It also avoids infecting certain folders, notably those that contain system files. Needless to say, FUJACKS needs its host computer running, lest it won't be able to achieve its goal.

Focused Attack: PE_LOOKED, Get Out of the Way!

The Chinese computing community has been under a lot of attack from threats in recent months. WORM_QQPASS steals user account information related to the instant messaging application Tencent QQ, which is very popular in China. TSPY_LINEAGE, on the other hand, steals account information related to the online game Lineage, which is also hugely popular in China and other countries in the Asia Pacific. TSPY_LINEAGE has been known to ride on another family of file infectors, PE_LOOKED, to spread, explaining the numerous infections that LOOKED has been registering in the region.

PE_FUJACKS also targets the Chinese computing population, albeit even more directly than WORM_QQPASS, TSPY_LINEAGE, or PE_LOOKED. PE_FUJACKS is designed to run on Chinese Windows platforms. It also uses messages in Chinese in its propagation via instant messaging, as well as searches for Chinese characters in running processes that it aims to terminate. Although technically it can run on other platforms, English platforms do not read its code correctly.

It is interesting to have mentioned PE_LOOKED at this point, because FUJACKS has anti-LOOKED routines. PE_FUJACKS wants its systems working without glitch, and all to its own.

FUJACKS terminates processes related to PE_LOOKED. It treats PE_LOOKED as a competition, not only in terms payload, but in terms of residence on the infected system. PE_LOOKED drops the file _DESKTOP.INI in all infected folders as infection marker. By using the same file name for the very same purpose, PE_FUJACKS, being the younger of the two families, drags both malware into a finders-keepers game.



For both malware, this means establishing territory in computers that have not been infected by the other. By the huge numbers with which PE_LOOKED has been infecting computers in Asia Pacific, FUJACKS seems to be hoping to gain ground in computers that are cleaned of PE_LOOKED.

For users, they are caught in crossfire -- cleaning their computers of any of the two malware means getting the risk of being infected by the other.

Web-based and Profit-driven: PE_FUJACKS Downloads Trojan Spyware

Whereas file infectors before it merely cause damage via the modifications they do to files, PE_FUJACKS indeed jacks it up by making its attack Web-based.

It connects to a Web site to download a text file, which contains other Web sites that it connects to, to download other files. This has a huge implication on the whole FUJACKS attack: a remote user, most likely the malware author can change the contents of the text file any time. The malware author thus has control over what FUJACKS downloads, and therefore what the overall FUJACKS attack will be. The author can, for instance, sell the URLs to adware companies that are willing to pay to have their annoying little programs automatically installed on FUJACKS-infected systems.

Indeed, it has been verified that the contents of the text file constantly change. But one content does not change: a URL that points to an updated copy of PE_FUJACKS. Therefore, being Web-based does not only give FUJACKS variability that could possibly evade antivirus detection of components and URL blocking, but also the capability to constantly improve -- the ability to dodge possible protection set up by antivirus outfits.

One of the downloaded files is a Trojan spyware, revealing the profit-driven nature of FUJACKS' attack. The spyware is a member of the TSPY_AGENT family of information stealers. This Trojan spyware logs user keystrokes to steal information related to Zhengtu Online, a new, fast-growing Chinese online game. Like any other online game, Zhengtu Online allows users to purchase virtual assets using real money.

Only last November, the creators of Zhengtu Online offered a new feature, considered to be an innovation in online games. Using real money, gamers can buy an in-game insurance, which will be paid off (in virtual money) in percentages depending on the levels that the gamers reach.

Needless to say, huge amounts of money (real) are involved here. By stealing user information, attackers can take control of accounts which they can milk money from.

Recommendation

In an event of an outbreak, a full network scan is recommended, provided that all servers and clients are using latest pattern files and has DCE 5.0 installed. We also recommend increasing security settings on mapped drives and as much as possible limit access to readable only. Ensure that all systems have their realt-time scanning enabled and have their IWSS always up to date.

In Conclusion

It is not clear whether TSPY_AGENT uses PE_FUJACKS to spread, or if PE_FUJACKS uses TSPY_AGENT to steal information. For affected users, however, it is clear that it is a partnership that aims to cash in on stolen information. It's a cyber-crime. This also explains the fight that PE_FUJACKS picked with PE_LOOKED. Although they target a different online game, they target the same segment of the computing population and are therefore competitors in resources.

File infectors are interesting components for focused information theft attacks. Their limited propagation serves the purpose of reaching users that are geographically close to each other. PE_FUJACK's additional propagation via instant messaging allows for a wider reach, but not unnecessarily widespread, the way mass-mailing worms can achieve. And anyway mass-mailers have become too easy to catch.

If PE_FUJACKS does get detected, the user may be too distracted cleaning infected files and be unknowing of the other activities that other components are performing. Which brings us to the original thesis that PE_FUJACKS represents, not a single threat type, but an elaborate attack -- a multi-component, sequential, focused, Web-based, and profit-driven attack.