The malware authors who have been writing password-stealing Trojans, banking Trojans and rootkits have branched out into a new form of persistent malware designed to hijack victims’ Web browsing sessions.
A new Trojan called Opachki is making the rounds and it is doing far more than just logging keystrokes or stealing passwords. Opachki uses a dropper to infect users’ machines, loading a DLL file. It then goes through a complex routine that involves partially decrypting various strings in memory and then deleting the strings as soon as it’s finished with them.
As Opachki’s main goal is to hijack links, it hooks the send and recv API calls in the following programs: FIREFOX.EXE, IEXPLORE.EXE, OPERA.EXE and QIP.EXE. While the first three are well known, I had to investigate the last one. It turned out that QIP.EXE is an ICQ client that is very popular in Russia, so the trojan has a component that directly attacks Russian users.
The trojan will monitor web traffic (requests and responses) that above mentioned applications make and will inject a malicious script tag into every response.
But that’s not all. Opachki also has a couple of other nasty bits to it. The most damaging feature is its ability to delete the registry key that enables a user to boot a machine in Safe Mode. This makes recovery and disinfection much more difficult. And, once it has infected a PC, Opachki checks to see if the machines already is infected with one of the variants of the Zeus Trojan. If it is, then Opachki removes the Zeus infection.
Researchers are not clear on why Opachki is specifically targeting Zeus, although Joe Stewart of SecureWorks speculated that the authors of the two Trojans may have competing interests.
The motivation behind this action is unclear. It could occur because
ZeuS hooks the “send” and “recv” calls in a similar manner as Opachki,
which might disrupt Opachki’s ability to inject data into HTTP streams.
There is also the remote chance that the Opachki author could be
hijacking ZeuS installations to deploy the trojan. As ZeuS has a
downloader component that looks for updates at a predetermined URL, it
would be possible for a hacker who gained access to a ZeuS server to
replace the update with their code, piggybacking one botnet onto
Stewart adds that manual removal of Opachki is quite challenging and recommends that users reimage infected machines.