When malware is found lurking on a system, quite often it isn't acting alone. Once malware distributors have control of a system, they will do everything they can to compromise the machine and the user for maximum gain -- for instance, hijacking a browser's search results, or using rogue security software to extract payments from affected users -- and will try to install whatever other malware components they need to in order to make this happen.

Such is the case with Win32/Fareit, which is one of two new additions to the Microsoft Malicious Software Removal Tool (MSRT) for February 2012. Win32/Fareit is a family consisting of a password stealer and a component for performing Distributed Denial of Service (DDoS) attacks, and is often present on an affected system along with a suite of other malware.

The Distributed Denial of Service component, which we detect as DDoS:Win32/Fareit, contacts a remote server, which may instruct it to flood a target server with bogus HTTP traffic. It randomly chooses several fields of the HTTP header, in order to make it difficult for the targeted server to filter the unwanted requests. Hijacking the browser and collecting payments for rogue security software are not the only methods of profiting from an infected system, and this is where the password stealing component PWS:Win32/Fareit fits in.

When run, the malware scans the system looking for installations of popular FTP clients and cloud storage clients. Most of these allow users to cache login details for servers that they often connect to, and they store these details encrypted in configuration files or registry entries. If any of these clients are present on the system, the malware attempts to retrieve this login information from the files or registry, decrypt it, and post it to a remote server controlled by the attackers. Once they have this account information, they can log in to the compromised accounts, which often provide access to web servers, and upload other malware that they wish to distribute. You can see a list of the FTP clients and other software that PWS:Win32/Fareit targets in our encyclopedia description. It also attempts to steal stored passwords from some of the major web browsers. 

PWS:Win32/Fareit first came to our attention in large numbers in October, when we noticed it being installed by Win32/FakeScanti and Win32/Cycbot.

Win32/FakeScanti is a rogue security program that was added to MSRT in October 2009 and has recently gone by names such as Cloud AV 2012, AV Guard Online, Security Guard 2012, and Opencloud Antivirus.

Cloud AV 2012

Win32/Cycbot is a backdoor and browser hijacker, and was added to MSRT in February 2011. At various stages we have seen Win32/Cycbot and Win32/FakeScanti also downloading or installing one another, so this month's addition of Win32/Fareit helps complete the cleaning of this multi-family infection.

Win32/Cycbot remains highly prevalent, and Backdoor:Win32/Cycbot.G was the number-one threat removed by MSRT last month. Win32/FakeScanti activity has decreased, though we continue to monitor it closely; however, we have received no new undetected samples of it so far this year. Unfortunately, this isn't a sign that the rogue distributors have given up on their nefarious activities; most likely they have simply moved on to distributing different rogue families. 

If your system has been infected with Win32/Fareit, or related families like Win32/Cycbot, and you have any account details saved in your FTP client, after cleaning your local system, we recommend that you immediately change your password for each account. Check the related servers for new or suspicious files that you did not upload, change passwords for any accounts whose details you may have saved in your browser, and check those accounts for any unexpected activity.

The password-stealing component may only need to be run once in order to steal your credentials, so, by the time MSRT has performed its monthly scan, the damage may have already been done. This emphasizes the importance of running an antivirus solution that provides real-time protection.

David Wood
MMPC Melbourne