Smitfraud Alert

infectionvectors.com

June 2005

Vector:       Web Drive-by/Trojan

Impact:       Medium (infects system DLL, tracks web viewing, spy/adware installation)

Smitfraud (downloaded by a Trojan that is often given the same name or sometimes listed as a variant of CWS) carries a routine that replaces the system DLL “WININET.DLL” (Microsoft Windows Internet). Some reports have indicated that this is initially a viral infection (parasitic); however, it appears that the endgame for the malware is to simply replace WinInet.dll with a file it drops as “OLEADM32.DLL” (which, in turn, appears to be a hacked copy of WinInet.dll). The real WinInet.dll processes web-related request functions for MS Windows machines. In this case, the malware is interested in seeing everything that is sent out to the Internet as a page request, and logging that data for the use of advertisers.

WinInet.dll takes request handles that are framed by the HttpOpenRequest function and sends them to an HTTP server. Smitfraud copies these requests and posts them to servers presumably under the control of the code authors. When cleaning this infection, note the original DLL will need to be replaced.

Servers used for one iteration of this malware include these three, all registered to cities in Russia:

http://ecjnoe3inwe.com

http://dkjfwekjnc4.com

http://fjrewcer32.com

Information on WinInet.dll can be found at:

http://msdn.microsoft.com/library/default.asp?url=

/library/en-us/wininet/wininet/wininet_functions.asp

Initial reports of this malware showed a single, target: Smith Barney customers (hence the name that it carries). Kaspersky initially catalogued that threat in January of 2005.

http://www.viruslist.com/en/viruses/encyclopedia?virusid=68326