​This month, we added Win32/Tracur and Win32/Dursg, two of the most prevalent pieces of malware belonging to the category of 'web redirectors', to our Malicious Software Removal Tool (MSRT). After just over two weeks in release, we have early numbers on our success in detecting and removing these twinned threats.

In terms of functionality, Win32/Tracur is a backdoor trojan with the capability to redirect web search queries. It is worth mentioning that about 99% of Win32/Tracur samples we have seen also install Win32/Dursg.

As mentioned in our earlier post "MSRT July 2011: Targeting web redirector malware", Win32/Tracur installs a browser helper object, or BHO, for IE to monitor web search queries. It also drops Win32/Dursg to install malicious extensions for Firefox and Opera. User query results from search engines such as Google, Yahoo!, AOL, Ask and Bing will be redirected to a malicious site. To guarantee Win32/Tracur control, it modifies several registry entries. To disguise its presence, dropped files are named similarly to Windows DLLs.

Win32/Tracur
Figure 1: Snapshot of the infected Windows system folder


In the above figure, notice that new files such as audiosrv23.dll, dmime32.dll, and hnetmon32.exe do not usually exist in a clean system. Win32/Dursg on the other hand, installs Mozilla Firefox and Opera extensions as illustrated below to accomplish the same task.

Win32/Dursg installs Firefox extension
Figure 2: Malicious Firefox extension

 

Win32/Dursg installs Opera extension
Figure 3: Malicious Opera extension


Win32/Dursg has been seen to be distributed with other malwares and file infectors such as Sality, Virut, Polip, Alureon, and Tracur, to name just a few, further assisting in its wide distribution. For complete information about the behavior of both malware families, please refer to our descriptions for Win32/Tracur and Win32/Dursg in the MMPC encyclopedia.

Since the release of MSRT on July 12, we have removed 516,517 Win32/Tracur threats from 242,517 computers making this malware the top threat on the list. Another 91,041 instances of Win32/Dursg were removed from 73,166 computers.

Family
Threats
Machines
Tracur
         516,547
           242,517
Sality
         429,202
           239,353
Cycbot
         199,339
           170,889
Alureon
         125,475
             94,857
FakeRean
           90,926
             84,798
Vobfus
           90,004
             82,670
Taterf
         100,183
             77,618
Rimecud
           80,865
             74,614
Dursg
           91,041
             73,166
Brontok
           73,429
             68,370


Chart: MSRT top malware families removed in July 2011 


The big number of Tracur threats can be accounted to its dropped files. Tracur will drop modified copies of itself in the <system folder> using file names derived from existing Windows DLL names with an appended string “32”, such as hal32.dll, olecli3232.dll, olecli3232.exe, and authz32.dll.

Checking the origin of detections for Tracur, United States has the highest percentage of infections with 80%, followed by Japan, France, and Canada, accounting for 3% of detections each.

Win32/Tracur detections by country
Figure 4: Win32/Tracur detections by country


For Dursg, United States has 56% of the detected infections, followed by Turkey, Canada, and United Kingdom.

Chart 2 - Dursg detections by country
Figure 5: Win32/Dursg detections by country


As you can see, the evil twins of Tracur and Dursg are very prevalent. Microsoft Security Essentials and Microsoft Forefront Endpoint Protection both offer real-time protection to prevent you from becoming infected.

In addition you can take the extra step to be informed about the risk of search-redirecting malware as you browse the Internet. You may want to ensure a browser add-on installation is your intention in that you don't inadvertently install a potentially dangerous web browser add-on.

We recommend using Internet Explorer 9 (IE9) for browser security and key benefits that include helping users stay in control of their browsing experience. IE9 notifies users whenever a new add-on is installed. IE9 also helps improve browsing performance by notifying users about slow-performing add-ons and making it easy for users to disable them. We find that these features help raise security awareness as well.

 


-- Rodel Finones & Scott Wu, MMPC

 

PS: SHA1 hashes for both threats are listed below

Win32/Tracur:
4255ecff84049004254dadc820eed72b34cd2f06
253d163638ab72f18e4b1ebd71295b996bdbb736

Win32/Dursg:
5e12f9c1d4bc98d85167eac7c0010618ffed5a9d
a47baf291928d7a4010f66522e282700d60ec5cb