We had included Win32/Kuluoz and Win32/Cleaman in the June edition of the Microsoft Malicious Software Removal Tool (MSRT). In this blog post we will discuss Win32/Cleaman – a family that belongs to the category of “web redirector”.
Win32/Cleaman is a multi-component trojan with the capability to redirect web search queries. It is usually distributed via drive-by exploit kits and its main purpose is to redirect Bing, Google, and Yahoo search results to either fake or compromised webpages that serve advertisements, adware programs, and malware. Cleaman arrives with an obfuscated loader that drops the EXE and DLL component. It modifies the Windows Hosts file to redirect search engine access to a bogus server, for example:
Figure 1: Hosts file modified to redirect Google and Bing access to a server with the IP address 126.96.36.199 and .17, respectively
To mask its presence, Cleaman uses file names that are similar to clean Windows system files. Furthermore, it has some rootkit functionality in that it hooks several APIs to hide the files, registry, process, and networking operations from common user-mode tools such as Explorer and Registry Editor. There are rootkit-aware tools that are available out there that can help you view hidden Cleaman components, which was what we used to take these screenshots:
Figure 4: Hidden Cleaman registry entry
For complete information about the behavior of this family, please refer to our descriptions for Win32/Cleaman in the MMPC encyclopedia.
Figure 5: Number of Cleaman threats cleaned since the June MSRT edition
The spike from June 12th is around the time that the MSRT tool that included Cleaman was released.
Looking at the origin of detections for Cleaman, United States has the highest percentage of infections with 79%, followed by Canada and United Kingdom with 5% and 4% respectively.
— Rodel Finones, MMPC
Leave a reply