Method of Infection
Alueron variants differ in how they install themselves. Some variants copy themselves into the %System% directory using a random filename; the original executable file is deleted. Code is then injected into the Explorer.exe and IExplore.exe processes. A registry key is also created to ensure that the trojan runs at each Windows start, for example:
Filename: %System%\hgqhp.exe
Registry modification: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\hgqhp.exe = "%System%\hgqhp.exe"
Other variants of Alueron drop a DLL file into the %System% directory, for example:
%System%\spher.dll
and modify the registry to ensure that it is loaded:
HKCR\CLSID\{CLSID}\(Default) = "IE SP2 AddOn"
HKCR\CLSID\{CLSID}\InprocServer32\(Default) = "%System%\spher.dll"
HKCR\CLSID\{CLSID}\InprocServer32\ThreadingModel = "Apartment"
Note: '%System%' is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
Back to top
Payload
Downloads and Executes Arbitrary Files
Alueron contacts certain IP addresses to obtain instructions, which direct the trojan to download and execute files including variants of other malware families such as:
Win32/SillyDl
Win32/DlStwoyle
Win32/Qhosts
Win32/Bloon
Win32/Lospad
Some of the IP addresses used to download from include:
195.95.218.100
85.255.115.186
195.95.218.99
69.50.190.131
69.50.161.11
69.50.161.7
Changes DNS settings
Some variants change DNS settings, the trojan alters the file:
%AppData%\Microsoft\Network\Connections\Pbk\rasphone.pbk
by changing the following lines
IpDnsAddress=<Altered DNS>
IpDns2Address=<Altered DNS>
It then enumerates the following registry entry:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters
checking for references to adapters. If found, the adapters' DNS servers are changed by altering the value 'NameServer' in the referenced key, for example:
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{CLSID}\NameServer = "<Altered DNS>,<Altered DNS>"
After the trojan has made the relevant operating system dependent changes, it then runs the following commands:
"ipconfig.exe /flushdns"
'ipconfig.exe /registerdns"
"ipconfig.exe /dnsflush"
"ipconfig.exe /renew"
"ipconfig.exe /renew_all"
to ensure that the settings take immediate effect.
A Domain Name Server holds lists of domain names that map to matching IP addresses. Hence, when a user requests a particular domain, say, ca.com, the user's machine queries the DNS, which will return the appropriate numerical, IP address (in this example, say, 155.35.248.73). By redirecting user requests to a DNS server that contains false or incorrect mappings, an attacker can therefore redirect the user to other sites of their choice whenever a user requests a domain that is listed in the DNS. In application, for example, even if a user types the URL of their Internet Banking site into their browser they could be redirected to a spoofed site with a completely different IP address and be unaware of this subterfuge.The altering of DNS servers may also allow for the tracking of sites visited.
Changes Start Page Settings
Some variants of the trojan change the user's Internet Explore start page to its own custom page, displaying it when the browser is started. The following is an example of a page displayed by Alureon:
The trojan displays a "search" page which contains a list of common search terms, if the user clicks on any of the terms or enters text into the box and clicks the search button, the trojan posts this information to a domain, which then redirects the user to other sites.
Tracks User Information:
Variants of Alueron also track the user's search information by monitoring connections to popular search engines. When a user performs a search query, information about the query such as the contents, the search engine used and a unique identifier is sent off to a remote machine.
Analysis by Raymond Roberts
Back to top