Opachki: State of the art malware continues to evolve

Rmus · Nov 3, 2009

When the Conficker worm emerged on the scene, an entirely new type of sophistication in malware coding revealed a professional, knowledgeable understanding of the inner workings of the Windows Operating system. With Opachki, this sophistication continues in other areas, such as web page coding:

Opachki, from (and to) Russia with love
http://isc.sans.org/diary.html?storyid=7519

Opachki Link Hijacker Trojan Analysis
http://www.secureworks.com/research/threats/opachki/

Each search-hijacking-by-malware scheme that the SecureWorks Counter Threat Unit (CTU) has uncovered so far seems to have a different twist, and the Opachki trojan is no different. Instead of only hijacking search result links, Opachki attempts to hijack as many links as it can on any web page, using the text enclosed by the HTML HREF tag as a faux search phrase when redirecting the user to an affiliate-based search engine.

Opachki is typically installed via "drive-by" browser exploits. There is an executable dropper component that loads an embedded DLL file. The DLL installs itself in several system locations to ensure continued execution on the infected machine.

These locations are:

The user's Documents folder, as "ntuser.dll"

The user's Temp folder, as "rundll32.dll"

The user's Startup folder, as "scandisk.dll"

The system32 directory, as "calc.dll"

Using user as well as system paths ensures that the trojan will operate even if the user does not have administrator privileges on the infected machine.
Click to expand...

Most people who frequent security forums might conclude that they are immune from the browser exploit, or even vulnerabilities in other software. But malware authors have no concern about this small minority of computer users world wide, as indicated by statistics in many research articles showing millions of people infected via the most common of attack vectors, and, of course, the various social engineering tricks.

So, as the various holiday seasons approach, why not share some of your knowledge with family/friends, to see if they are aware of how they might be vulnerable to the many different types of exploits making the rounds!

regards,

-rich

BrendanK. · Nov 4, 2009

Very nice stuff Rmus! It's such a shame people get infected by these easily prevented exploits

innerpeace · Nov 4, 2009

Thanks for the heads up Rich. This one sounds nasty as it also disables safe mode.

From the isc.sans.org link:

Besides dropping the DLL, the dropper also does one vary nasty action: it completely deletes the SafeBoot registry key by calling reg.exe, as shown below:

This prevents the system from booting in Safe Mode – the attackers did this to make it more difficult to remove the trojan. This goes well with what I've been always saying – do not try to clean an infected machine, always reimage it.
Click to expand...

Bolded words are very wise words indeed (bolding by me). Even better advice would be don't get infected in the first place.

Log in or Sign up

Opachki: State of the art malware continues to evolve

Rmus Exploit Analyst

BrendanK. Guest

innerpeace Registered Member

Log in or Sign up

Opachki: State of the art malware continues to evolve

Rmus Exploit Analyst

BrendanK. Guest

innerpeace Registered Member

Useful Searches