Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
We included three threat families in the April edition of the Microsoft Malicious Software Removal Tool - Win32/Claretore, Win32/Bocinex and Win32/Gamarue. In this post, we discuss Win32/Claretore.
The earliest reported variant in this family can be traced back to November 2011. Claretore is a trojan that injects itself into running processes to intercept browser traffic and redirect the browser to an attacker-defined URL. It also sends information about the affected computer to a remote server.
The installation and preservation mechanism employed by Claretore is not new but it is aggressive. Claretore drops copy of itself to the user profile's folder and the temp folder, and removes the original copy of the malware. The registry is modified to execute Claretore at every Windows start.
Image 1 - Registry data associated with launching Win32/Claretore at Windows start
The aggressive part is that it injects itself as a DLL component to each running process that loads the kernel32 module. This method allows the malware to support being installed on Windows 2000 operating systems and helps in hiding the malware so that it is does not appear present when viewing running processes using Windows Task Manager.
Below, you can see Win32/Claretore injected into "iexplore.exe" as shown via a debugging utility:
Image 2 - View of process "iexplore.exe" with Win32/Claretore injection
The malware attempts to block its removal by manual cleaning or by a security product by creating two monitoring threads that persistently verify if its file component and registry has been modified by others. This mechanism is implemented by utilizing the following Windows APIs:
Next, Claretore is ready to do its 'dirty work'. It hooks the following three network APIs to intercept certain web traffic:
Image 3 - Tracing through Win32/Claretore code
Win32/Claretore collects and sends the following details, encrypted using MD5, about the affected computer to an attacker-supplied URL:
This threat is detected and removed by the Microsoft Windows Malicious Software Removal Tool and when using current security technologies and protection. Thank you for reading and stay tuned to the MMPC for the latest developments in the digital threat landscape.
--Tim Liu, MMPC