This month, the MSRT team added the Win32/Afcore family of trojans to its detections. This malware is also known as Coreflood.

It has evolved over time, first breaking onto the scene in 2003. At the time, it was encountered when visiting a malicious web page containing obfuscated VBScript and detected as TrojanDropper:VBS/Inor.B. Using hexadecimal encoding, the VBScript dropper would create an executable, detected as Backdoor:Win32/Apdoor.C. Its main functionality was somewhat simple then and the malware referred to itself as “AICORE” in its debug messages.

The threat family dropped off in telemetry in 2009 and also during this time, it became part of a command & control network, or botnet. The sophistication of the malware increased, by spawning multiple processes and through the use of obfuscation and anti-emulation methodology.

During the evolution and changes to what is now known as Afcore, the communication sent by the malware to the C&C server remains technically the same. The malware makes use of debug messages for version tracking purposes. Some of the debug strings include the following:

  • AFCORE
  • COM2PLUS_MessageWindowClass
  • Version 3.1-test22(tv7) built on 06/11/08 at 15:32:57
  • Basename: %s, PID: %d (%s)
  • Octopus PID: %d(%i)
  • Shutting down AF . . .
  • Restarting AF . . .
  • Respawning AF . . .
  • User is logging off (%h)
  • AF has exited (%d): %s
  • Windows day %d has elapsed
  • AF 3.1-test22 has caused exception %h at %s+%h (%h)

Win32/Afcore comprises two components, a dropper and installed malware that runs as a backdoor. The backdoor component is injected into running processes and connects to a remote server to retrieve commands that are executed on the affected system. Commands could include instructions to steal passwords, attack other computers and so on. When the dropper is executed, it creates randomly named executable and data files, such as the following:

%TEMP%\gnfl.dll – Win32/Afcore
C:\Windows\System32\iaspojcy.dil - Win32/Afcore
C:\Windows\System32\iaspojcy.dat – data file
C:\Windows\System32\comrspl.dat – data file
C:\Windows\System32\kbdmlv47.dat  – data file

The registry is modified to execute Win32/Afcore at Windows start, as indicated below in these examples of modified registry data:

In subkey: HKLM\Software\Classes\CLSID\{B22FE457-E4C9-7E85-2AE3-0AF0B4E3A03C}
Sets value: "(default)"
With data: "iaspojcy"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{B22FE457-E4C9-7E85-2AE3-0AF0B4E3A03C}\InprocServer32
Sets value: "(default)"
With data: "C:\Windows\System32\iaspojcy.dil"
 
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\iaspojcy
Adds value: "(default)"
With data: "{B22FE457-E4C9-7E85-2AE3-0AF0B4E3A03C}"

The registry changes allow Win32/Afcore to execute when Windows Explorer runs and when Internet Explorer is launched.

Win32/Afcore injects code from a utility “jb.dll”, known as “jailbreak tool”, to export certificates marked as non-exportable from the Windows certificate store. The certs could then be used by an attacker to access online banking sites in an unauthorized manner. The malware could also perform the following actions:

  • modify the registry to run at Windows start
  • steal private certificates
  • restart or shutdown its currently running process
  • monitor window sockets
  • make connections to a remote host to transmit data

Additionally, Win32/Afcore could monitor network traffic to steal credentials associated with performing online mobile payments. The malware contains the following strings that it uses when monitoring traffic:

  • telegraphic
  • swift
  • remittance
  • foreign
  • s.w.i.f.t
  • cross-border

Win32/Afcore contains code that assist in capturing traffic and stealing information communicated when visiting websites containing the following strings, two of which are associated with National Health Service sites:

  • *.nhs.net/*
  • *.nhs.uk/*
  • *.hilton.*
  • *.yahoo.*
  • *.google.*

The trojan monitors communication sent via secure hypertext transfer protocol (HTTPS) as well. Win32/Afcore has been known to communicate with servers named “joy4host.com” and “antrexhost.com”. The IP addresses reported for these servers were located in Germany.

The addition of Win32/Afcore to MSRT this month comes at the request of the FBI and the Department of Justice to support a takedown operation which is discussed here:  http://www.justice.gov/opa/pr/2011/April/11-crm-466.html.

Microsoft is pleased to work with law enforcement, industry and academia when it leads to a safer computing environment for all of us. It is gratifying to see law enforcement agencies around the world taking aggressive steps to curb criminality on the Internet. Kudos to all of those involved.

 

-- Jaime Wong & Jeff Williams, MMPC