The Latest in IT Security

MSRT November: Dofoil

23
Nov
2011

As previously noted, one of the three families added to the November release of the Microsoft Malicious Software Removal Tool is Win32/Dofoil. TrojanDownloader:Win32/Dofoil is a configurable downloader. Dofoil will attempt to receive control instructions from a remote server. The response contains encrypted configuration data containing download URLs and execution options, as visible in a partially decrypted Dofoil configuration shown below:

Partially decrypted Dofoil configuration

Figure 1. Partially decrypted Dofoil configuration

The current generation of Dofoil can be purchased on illicit online marketplaces. Prices are advertised in US dollar equivalent WebMoney values. Depending on the version purchased, the price ranges between 150-250 $US for the main malware component. The cost for plugins ranges from an additional 25-150 $US. One example plugin is a password stealing component which targets many FTP, IM, poker and email clients.

Whilst often seen as an attachment as part of a spam campaign, the MMPC has observed Win32/Dofoil distributed and installed via other mechanisms such as by exploit. In the wild Win32/Dofoil variants are employed to download rogue security software such as Trojan:Win32/FakeSysdef and spam capable malware such as Trojan:Win32/Danmec.L.

Among observed spam campaigns, here is a small selection of spam lures employed during the last two months:

IRS

From: [email protected]
Subject: IRS Notification

Tax notice,

There are arrears reckoned on your account over a period of 2010-2011 year.
You will find all calculations according to your financial debt, enclosed.
You have to sick the debt by the 17 December 2011.

Sincerely,
IRS.

 

————————

iTunes

From: [email protected]
Subject: Your iTunes Gift Certificate

Hello,

You have received an Itunes Gift Certificate in the amount of $50
You can find your certificate code in attachment below.

Then you need to open iTunes. Once you verify your account, $50 will be credited to your account.
So you can start buying video, music, games right away.

iTunes Store.

 

————————

Xerox

Subject: Fwd: Scan from a Xerox W. Pro #16389356

Please open the attached document. It was scanned and sent to you using a Xerox WorkCentre Pro.

Sent by: Guest
Number of Images: 4
Attachment File Type: ZIP [DOC]

WorkCentre Pro Location: machine location not set
Device Name: RXX135OO6MSX6732224

 

————————
 
German

From: “Deutsche Post” ([email protected])
Subject: Holen Sie ihre Postsendung ab.

Lieber Kunde,

Es ist unserem Boten leider misslungen einen Postsendung an Ihre Adresse zuzustellen.
Grund: Ein Fehler in der Leiferanschrift.
Sie konnen Ihre Postsendung in unserer Postabteilung personlich kriegen.
Anbei finden Sie einen Postetikett.
Sie sollen dieses Postetikett drucken lassen, um Ihre Postsendung in der Postabteilung empfangen zu konnen.

Vielen Dank!
Deutsche Post AG.

————————

The Malicious Software Removal Tool reported variants of Win23/Dofoil on 13,488 unique machines this month. Forty-seven percent of these machines were running Windows XP, whilst approximately twenty-nine percent were running Windows 7. Looking at the geographic distribution of the machines which reported a Win32/Dofoil detection:

 
Geographic distribution of machines reporting 

 Figure 2. Geographic distribution of machines reporting

Whilst most prevalent in the United States, the MMPC observed those attempting to distribute Win32/Dofoil employing the use of localized lures targeting recipients in Germany, France Italy and Australia.
 
As we begin to wrap up 2011, we give to you another monthly installment of the MSRT to wrap up another malware family.
 

Scott Molenkamp
MMPC Melbourne

 

Leave a reply


Categories

SATURDAY, DECEMBER 07, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments