Malware authors have discovered a shortcut to create a Trojan horse program: using components from an anti-phishing product from China-based Zhuhai Kingsoft Software.
Symantec researcher Poul Jensen wrote about the malware on that company’s Connect blog on Wednesday. The Trojan package redistributes the executable and DLL (dynamic link libraries) from Kingsoft’s WebShield product, an anti-phishing tool. The file, all digitally signed, are normally distribwuted as part of the Kingsoft Intenret Security package, Jensen writes.
The Trojan authors have found a way to use the security features of the WebShield product for malicious purposes. For example: The Trojan uses the WebShield product’s ability to lock the browser home page to a specific domain and redirect text format URLs. Rather than redirecting IE users to safe domains, however, the Trojan redirects them to pages – described by Symantec as “advertisement link farms” controlled by the malware authors.
The problem appears to be architectural: the WebShield product can be controlled using a simple text-format configuration file, “kws.ini.” The malware authors replace the KingSoft version of that file with their own list of domains. Another file, spritesp.dat, contains a list of popular Chinese Web sites. Attempts to access those domains will ge redirected by the Trojan.
Attackers further modified the WebShield product to make it difficult to uninstall and to ensure that it runs when Windows starts. In every other respect, however, the WebShield works as it was designed to, which could make it difficult for users to realize they are running a malicious program, Jensen writes.