We had included Win32/Kuluoz and Win32/Cleaman in the June edition of the Microsoft Malicious Software Removal Tool (MSRT). In this blog post we will discuss Win32/Cleaman – a family that belongs to the category of "web redirector".

Win32/Cleaman is a multi-component trojan with the capability to redirect web search queries. It is usually distributed via drive-by exploit kits and its main purpose is to redirect Bing, Google, and Yahoo search results to either fake or compromised webpages that serve advertisements, adware programs, and malware. Cleaman arrives with an obfuscated loader that drops the EXE and DLL component. It modifies the Windows Hosts file to redirect search engine access to a bogus server, for example:

Figure 1: Hosts file modified to redirect Google and Bing access to a server with the IP address 94.63.147.16 and .17, respectively

To mask its presence, Cleaman uses file names that are similar to clean Windows system files. Furthermore, it has some rootkit functionality in that it hooks several APIs to hide the files, registry, process, and networking operations from common user-mode tools such as Explorer and Registry Editor. There are rootkit-aware tools that are available out there that can help you view hidden Cleaman components, which was what we used to take these screenshots:


 
Figure 2: Hidden Cleaman files


   
Figure 3: Hidden Cleaman process

Figure 4: Hidden Cleaman registry entry

For complete information about the behavior of this family, please refer to our descriptions for Win32/Cleaman in the MMPC encyclopedia.

Since the release of the MSRT on June 12, we have removed 59,479 Win32/Cleaman threats from 56,982 computers.
 


Figure 5: Number of Cleaman threats cleaned since the June MSRT edition

The spike from June 12th is around the time that the MSRT tool that included Cleaman was released.
Looking at the origin of detections for Cleaman, United States has the highest percentage of infections with 79%, followed by Canada and United Kingdom with 5% and 4% respectively.


 
Figure 6: Win32/Cleaman detection by country

Microsoft Security Essentials and Microsoft System Center 2012 Endpoint Protection both offer real-time protection to help keep your computers safe against these kinds of threats.

-- Rodel Finones, MMPC