I've been monitoring the development of a particular strain of Alureon since the start of August this year. The installer (detected as Trojan:Win32/Alureon.FE - cc9a8000f80b6aecee30375e3277292a725acbfb) is easily distinguishable from more prevalent strains such as Trojan:Win32/Alureon.DX by the use of PE resources to store each component. This particular installer is often downloaded by variants of Trojan:Win32/Fakesysdef using remote file names such as '531-direct'.

Whilst investigating one of the components this week, I came across something new: Functionality to download another component with the file name 'com32' had been added. I proceeded to download and decrypt this component. My initial analysis yielded what appeared to be functionality related to cryptography and JPG processing. This intriguing combination piqued my interest, owing in part to a section of the configuration file which I had examined earlier.

I turned my attention to trying to determine the purpose of the URLs hosted on the free blogging sites "LiveJournal" and "WordPress". The content of each page appeared to be benign, containing numerous and varied JPGs hosted on the free image provider "imageshack.us". Examining the code responsible for retrieving the pages, I discovered the HTML content was parsed for specific IMG tags.

Alureon would then attempt to retrieve the JPG pointed to by the markup. The raw data, along with a 61-character ASCII string, would then be passed to the 'com32' component. The long string had a distinctly password-like appearance.

After further investigation, I was able to determine that embedded within each of the JPGs was a complete configuration file using steganography. One of the critical sections of the configuration file contains the list of command and control servers. The purpose of the publically hosted data was revealed -- it's there to provide a layer of redundancy and defense against existing domains that might become unavailable. In the event that no command and control server could be contacted, Alureon would then seek to retrieve an updated configuration file from these 'backup' locations. 

And below is a collage of the images I encountered, in which the configuration file is tucked away -- a grandmotherly woman, a bowl of Chinese medicinal herbs, and a fellow who appears to be the star of Top Gun.

Whilst the use of data embedded and obfuscated within JPG files is not a new technique, it is interesting to see Alureon adopt this technique as part of a defensive mechanism.
 

Scott Molenkamp
MMPC Melbourne