For the past few days, the AV team has been analyzing a set of files and URL’s that is related to a certain Linkoptimizer Trojan.
Earlier this day, Jovs posted about the site js.gbeb.cc which uses a unique way of obfuscating code. Now this particular site connects to other sites when accessed. The sites it connects to are the following:
- http://js.pcweb.cc
- http://xearl.com
- http://cvoesdjd.com
- http://lah3bum9.com
- http://gromozon.com
- http://td8eau9td.com
- http://mioctad.com
These sites in turn download TROJ_RKDICE.H with its rootkit component TROJ_LINKOPTIM.G.
TROJ_LINKOPTIM.G is a Browser Helper Object (BHO) that connects to these sites:
- http://www.flashkin.net/sl.php
- http://www.flashkin.net/common/template.php
- http://www.flashkin.net/sh.php
- http://www.flashkin.net/bs.php
- http://www.flashkin.net/wl.php
- http://www.flashkin.net/wlink.php
- http://www.flashkin.net/ws.php
- http://www.flashkin.net/gc.php
- http://washerner.com/
- http://chongchua.com/
- http://livingcert.com/
- http://fogcu.com/
For now, the sites mentioned above are blank (but our URL blocking now blocks these sites nevertheless).
The point of this blog entry is to emphasize that the infection cycle used by this trojan is an example of how malware use multiple components for propagation, obfuscation, and detection avoidance.