Malware replacing Windows system file is an old trick. But replacing other application’s module is not very common due to complicated trigging requirement. In the past, we only saw some malware would modify QQ’s components to steal user’s QQ account credentials. These days, we found a malware would replace several popular applications’ modules to behave malicious.
Generally speaking, this malware will first download a configuration file which describes what file to replace and how to do it. Second, it will set up a timer to check the target application and download the malicious file to replace the original file. When the fake module is launched by main application it will behave as a clicker.
The configuration file looks like below. I commented it to make it easy to be understood:
The malware first set up two timers to keep running:
It parses the configuration file to find how to read the registry to get the target application’s information:
Then it checks the file name and file version to decide whether to replace:
If the answer is yes, it will download the associated prior modified file. Then kill the application’s task, back up the original file and replace it:
So far, malware has replaced the original file with malicious one. Now let’s have a look the fake module file. Dll main function is as follows:
It’s easy to understand. It will first add an entry into RUN key to make the application start up with the system. Then checks whether there exists a mutex ‘Pidalce’. If not, which means there’s not an infector running in the system, it will download a payload and launch it:
After that, it will add some unwelcome quick links into both Internet Explorer Favorites and desktop. In the end, it will load the original module which is backed up before in order to make the application run well.
How about the export functions? How does the fake file implement the export function to make the application run properly? Look at snapshot below:
Since we mentioned above that the fake module would load the original module, here in the fake export function, the malware will get the original export function’s address and call it to behave like the original function is called.
From the configuration file, we find that this malware will replace modules from these popular applications in China:
Thunder
PPStream
PPLive
StormPlayer
AliWangwang
TTPlayer
SogouExplorer
Maxthon
These are widely used software in China. AVG detect this malware as Clicker to keep you safe.
Jason Zhou & Hynek Blinka
Leave a reply
