We included three threat families in the April edition of the Microsoft Malicious Software Removal Tool - Win32/Claretore, Win32/Bocinex and Win32/Gamarue. In this post, we discuss Win32/Claretore.

The earliest reported variant in this family can be traced back to November 2011. Claretore is a trojan that injects itself into running processes to intercept browser traffic and redirect the browser to an attacker-defined URL. It also sends information about the affected computer to a remote server.

The installation and preservation mechanism employed by Claretore is not new but it is aggressive. Claretore drops copy of itself to the user profile's folder and the temp folder, and removes the original copy of the malware. The registry is modified to execute Claretore at every Windows start.

Registry data associated with launching Win32/Claretore at Windows start

Image 1 - Registry data associated with launching Win32/Claretore at Windows start

The aggressive part is that it injects itself as a DLL component to each running process that loads the kernel32 module. This method allows the malware to support being installed on Windows 2000 operating systems and helps in hiding the malware so that it is does not appear present when viewing running processes using Windows Task Manager.

Below, you can see Win32/Claretore injected into "iexplore.exe" as shown via a debugging utility:

View of process "iexplore.exe" with Win32/Claretore injection

Image 2 - View of process "iexplore.exe" with Win32/Claretore injection

The malware attempts to block its removal by manual cleaning or by a security product by creating two monitoring threads that persistently verify if its file component and registry has been modified by others. This mechanism is implemented by utilizing the following Windows APIs:

  • RegNotifyChageKeyVaule
  • ReadDirectoryChanges

Next, Claretore is ready to do its 'dirty work'. It hooks the following three network APIs to intercept certain web traffic:

  • WSPCloseSocket
  • WSPSend
  • WSPRecv

The trojan is then able to intercept every website accessed that also has contains a reference to Google Analytics JavaScript, and replaces the legitimate code with code from an attacker-supplied URL. For example, a variant of Win32/Claretore was observed to replace references to the Google Analytics JavaScript "google-analytics.com/ga.js" with "<removed>in-f108.com/ga.js", allowing attacker-specified code to execute.

Tracing through Win32/Claretore code

Tracing through Win32/Claretore code

Image 3 - Tracing through Win32/Claretore code


Win32/Claretore collects and sends the following details, encrypted using MD5, about the affected computer to an attacker-supplied URL:

  • Machine GUID
  • User logon account name
  • Computer name
  • Windows install date
  • Disk identifier

 

This threat is detected and removed by the Microsoft Windows Malicious Software Removal Tool and when using current security technologies and protection. Thank you for reading and stay tuned to the MMPC for the latest developments in the digital threat landscape.

--Tim Liu, MMPC