As previously noted, one of the three families added to the November release of the Microsoft Malicious Software Removal Tool is Win32/Dofoil. TrojanDownloader:Win32/Dofoil is a configurable downloader. Dofoil will attempt to receive control instructions from a remote server. The response contains encrypted configuration data containing download URLs and execution options, as visible in a partially decrypted Dofoil configuration shown below:
Figure 1. Partially decrypted Dofoil configuration
The current generation of Dofoil can be purchased on illicit online marketplaces. Prices are advertised in US dollar equivalent WebMoney values. Depending on the version purchased, the price ranges between 150-250 $US for the main malware component. The cost for plugins ranges from an additional 25-150 $US. One example plugin is a password stealing component which targets many FTP, IM, poker and email clients.
Whilst often seen as an attachment as part of a spam campaign, the MMPC has observed Win32/Dofoil distributed and installed via other mechanisms such as by exploit. In the wild Win32/Dofoil variants are employed to download rogue security software such as Trojan:Win32/FakeSysdef and spam capable malware such as Trojan:Win32/Danmec.L.
Among observed spam campaigns, here is a small selection of spam lures employed during the last two months:
IRS
From: [email protected]
Subject: IRS Notification
Tax notice,
There are arrears reckoned on your account over a period of 2010-2011 year.
You will find all calculations according to your financial debt, enclosed.
You have to sick the debt by the 17 December 2011.
Sincerely,
IRS.
————————
iTunes
From: [email protected]
Subject: Your iTunes Gift Certificate
Hello,
You have received an Itunes Gift Certificate in the amount of $50
You can find your certificate code in attachment below.
Then you need to open iTunes. Once you verify your account, $50 will be credited to your account.
So you can start buying video, music, games right away.
iTunes Store.
————————
Xerox
Subject: Fwd: Scan from a Xerox W. Pro #16389356
Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.
Sent by: Guest
Number of Images: 4
Attachment File Type: ZIP [DOC]
WorkCentre Pro Location: machine location not set
Device Name: RXX135OO6MSX6732224
————————
German
From: “Deutsche Post” ([email protected])
Subject: Holen Sie ihre Postsendung ab.
Lieber Kunde,
Es ist unserem Boten leider misslungen einen Postsendung an Ihre Adresse zuzustellen.
Grund: Ein Fehler in der Leiferanschrift.
Sie konnen Ihre Postsendung in unserer Postabteilung personlich kriegen.
Anbei finden Sie einen Postetikett.
Sie sollen dieses Postetikett drucken lassen, um Ihre Postsendung in der Postabteilung empfangen zu konnen.
Vielen Dank!
Deutsche Post AG.
————————
The Malicious Software Removal Tool reported variants of Win23/Dofoil on 13,488 unique machines this month. Forty-seven percent of these machines were running Windows XP, whilst approximately twenty-nine percent were running Windows 7. Looking at the geographic distribution of the machines which reported a Win32/Dofoil detection:
Figure 2. Geographic distribution of machines reporting
Whilst most prevalent in the United States, the MMPC observed those attempting to distribute Win32/Dofoil employing the use of localized lures targeting recipients in Germany, France Italy and Australia.
As we begin to wrap up 2011, we give to you another monthly installment of the MSRT to wrap up another malware family.
Scott Molenkamp
MMPC Melbourne
Leave a reply