Bundling malware and legitimate software on unofficial download websites is an effective way of tricking users into running malicious files. We often see keygens, hacktools and game trainers bundled with trojans and posted on forums or as comments under videos.
I recently analyzed a file that claimed to be a game tool used for customizing Dota2, a multiplayer online battle arena video game developed by Valve Corporation. The tool was made by a third party and offered for free download online.
After unpacking the file, I found that it included more than the game tool - there was another executable in the bundle, a malware file that Microsoft detects as TrojanSpy:Win32/Usteal.D.
Further investigation into the origin of this malicious bundle led me to the online malware builder that created it. We detect this builder as TrojanSpy:Win32/Usteal.
TrojanSpy:Win32/Usteal is publically available online and is responsible for creating the malware that is then distributed to unsuspecting victims.
Figure 1: The user interface for the TrojanSpy:Win32/Usteal builder shows some of the applications it supports.
It is fairly customizable - with just a tick of a checkbox, users can enable and configure different malware features.
Figure 2: The builder is easily customized.
Once a trojan is created with the builder, an author can choose to bundle the malware with legitimate tools, software or images.
It’s then up to the author to decide how to distribute it. It could be as simple as uploading the file to a free hosting site and freely spam the link on forums, as comments or as instant messages. The distribution method depends on an attacker’s target.
Figure 3 below shows just one example of how an attacker can distribute bundled malware.
In this example an attacker is targeting Dota2 players. The attacker bundles a Dota2 game tool with TrojanSpy:Win32/Usteal. They then upload it to a hosting site.
Figure 3: One example of how an attacker can distribute bundled malware.
The attacker tries to distribute their malware by spamming comments in both Russian and English under Dota2-related videos on YouTube.
The main purpose of this malware is to steal stored passwords from various web browsers, FTP clients and instant messengers.
It does this by going to the location of the stored passwords - either a registry or a file, depending on the target application.
Figure 4: Registry locations in ICQ instant messenger.
It then parses the contents of the registry profile for the username and password. It writes it to a file, compresses, and encrypts it. The log file will have “ufr” at the beginning of the file name by default as well as a “ufr” header inside the file.
Figure 5: TrojanSpy:Win32/Usteal writes, compresses and encrypts stolen username and passwords.
The log or report file is then sent to the bundle author by e-mail, ftp or server.
After it is done, the trojan can either continue in launching the tool, software or images or delete itself as well as the report.
The builder also serves as the decoder for the log/report files which contain the stolen passwords.
However, TrojanSpy:Win32/Usteal can only steal stored passwords - it does not have a key logging function unless it is bundled with a keylogger or the downloading function is pointed to a keylogger.
Most infections for this trojan are detected in Russia where the software originated, but we are also seeing infections in other countries, including the United States.
Figure 6: TrojanSpy:Win32/Usteal infection rates by country.
The Microsoft Security Intelligence Report volume 13 has more details on the hidden dangers of free software bundled with hidden malware.
It is important to be aware of this risk, and understand just how easy it can be for malware authors to create malicious software bundles. It’s a good practice to download software directly from an official website - be wary of anything linked directly within a comment or forum post.