The Latest in IT Security

July MSRT on web redirector malware


This month, we added Win32/Tracur and Win32/Dursg, two of the most prevalent pieces of malware belonging to the category of ‘web redirectors’, to our Malicious Software Removal Tool (MSRT). After just over two weeks in release, we have early numbers on our success in detecting and removing these twinned threats.

In terms of functionality, Win32/Tracur is a backdoor trojan with the capability to redirect web search queries. It is worth mentioning that about 99% of Win32/Tracur samples we have seen also install Win32/Dursg.

As mentioned in our earlier post “MSRT July 2011: Targeting web redirector malware“, Win32/Tracur installs a browser helper object, or BHO, for IE to monitor web search queries. It also drops Win32/Dursg to install malicious extensions for Firefox and Opera. User query results from search engines such as Google, Yahoo!, AOL, Ask and Bing will be redirected to a malicious site. To guarantee Win32/Tracur control, it modifies several registry entries. To disguise its presence, dropped files are named similarly to Windows DLLs.

Figure 1: Snapshot of the infected Windows system folder

In the above figure, notice that new files such as audiosrv23.dll, dmime32.dll, and hnetmon32.exe do not usually exist in a clean system. Win32/Dursg on the other hand, installs Mozilla Firefox and Opera extensions as illustrated below to accomplish the same task.

Win32/Dursg installs Firefox extension
Figure 2: Malicious Firefox extension


Win32/Dursg installs Opera extension
Figure 3: Malicious Opera extension

Win32/Dursg has been seen to be distributed with other malwares and file infectors such as Sality, Virut, Polip, Alureon, and Tracur, to name just a few, further assisting in its wide distribution. For complete information about the behavior of both malware families, please refer to our descriptions for Win32/Tracur and Win32/Dursg in the MMPC encyclopedia.

Since the release of MSRT on July 12, we have removed 516,517 Win32/Tracur threats from 242,517 computers making this malware the top threat on the list. Another 91,041 instances of Win32/Dursg were removed from 73,166 computers.

Family Threats Machines
Tracur          516,547            242,517
Sality          429,202            239,353
Cycbot          199,339            170,889
Alureon          125,475              94,857
FakeRean            90,926              84,798
Vobfus            90,004              82,670
Taterf          100,183              77,618
Rimecud            80,865              74,614
Dursg            91,041              73,166
Brontok            73,429              68,370

Chart: MSRT top malware families removed in July 2011 

The big number of Tracur threats can be accounted to its dropped files. Tracur will drop modified copies of itself in the <system folder> using file names derived from existing Windows DLL names with an appended string “32”, such as hal32.dll, olecli3232.dll, olecli3232.exe, and authz32.dll.

Checking the origin of detections for Tracur, United States has the highest percentage of infections with 80%, followed by Japan, France, and Canada, accounting for 3% of detections each.

Win32/Tracur detections by country
Figure 4: Win32/Tracur detections by country

For Dursg, United States has 56% of the detected infections, followed by Turkey, Canada, and United Kingdom.

Chart 2 - Dursg detections by country
Figure 5: Win32/Dursg detections by country

As you can see, the evil twins of Tracur and Dursg are very prevalent. Microsoft Security Essentials and Microsoft Forefront Endpoint Protection both offer real-time protection to prevent you from becoming infected.

In addition you can take the extra step to be informed about the risk of search-redirecting malware as you browse the Internet. You may want to ensure a browser add-on installation is your intention in that you don’t inadvertently install a potentially dangerous web browser add-on.

We recommend using Internet Explorer 9 (IE9) for browser security and key benefits that include helping users stay in control of their browsing experience. IE9 notifies users whenever a new add-on is installed. IE9 also helps improve browsing performance by notifying users about slow-performing add-ons and making it easy for users to disable them. We find that these features help raise security awareness as well.


— Rodel Finones & Scott Wu, MMPC


PS: SHA1 hashes for both threats are listed below



Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments