In this month's Microsoft Malicious Software Removal Tool (MSRT) release, we add Win32/Medfos. This is a fairly new family, but it is continuously gaining big detection numbers around the world, especially in the United States. The initial Win32/Medfos infection is usually a downloader component that is distributed in different ways; for example, by visiting a compromised website that redirects to an exploit or by existing malware that downloads it to the already-infected machine. As with a lot of other malware, Win32/Medfos drops itself into the %AppData% folder and adds a registry run key to reside in the system; if you want to know more details about this please refer to our Win32/Medfos family description.

After the initial infection, an additional component is downloaded from the C&C server and run. The sole purpose of this component is to redirect search engine results, thus profiting the distributors. To get a better view of this malware, Figure 1 shows the big picture of Medfos's infection vectors and search-engine result-redirection process.

The Win32/Medfos landscape

Figure 1: The Win32/Medfos landscape

 

Win32/Medfos uses two methods to achieve search-engine queries and enable its result hijacking: process injection and web-browser extension installation. For Internet Explorer, the hijacking module is injected into the running browser processes so that monitoring is invisible to users. For Firefox an additional browser extension is installed. To reduce the chance of it being uninstalled, since it can be found in the Firefox extensions list, Medfos chooses names that look very legitimate and changes them frequently. As shown in Figure 2, one of the recent names is "Mozilla Safe Browsing". The name, along with the extension's description, make it look like something that could have a legitimate purpose.

Medfos Firefox extension

 

But of course it's not.

When searching with some popular search engines (see our Win32/Medfos family description for a list), a hidden request with search engine information and the search query is sent to the Ads control server. The server returns a URL to which the search results will be redirected. For example, searching for the keyword "test" with Bing, the following hidden information is sent:

hxxp://XX.XX.132.53/feed?req=http:%2F%2Fwww.bing.com%2Fsearch%3Fq=test%26src=IE-SearchBox&u=<encoded data>

and the following data is returned that instructs Medfos where and how to redirect the result:

hxxp://XXXXXXXXX.l.doubleeclick.net/url?bs=b88b&rtls=http%3A%2F%2Fsearchesnavigator.com%2Fsearch%3Fquery%3Dtest|Looking_for...?|bid=0.048

The red part will be used in the search result redirection HTTP request. Once any of the search results are clicked, the user will be redirected to the Ads redirection server returned in the above request instead of being sent to the actual result. In the redirection request, the result URL is included, so the server can choose to direct the user to additional ads or the search result.

As observed in our analysis, the redirection destination chosen by the Ads redirection server is optimized for the search keywords -- for example, when the keyword was "antivirus", the search result was redirected to a website that sells antivirus products, and for "chrome", it was a product that fixes Google Chrome issues. We guess it's for getting more profit by generating better targeted ads traffic. But the redirection to ads is not always happening, so it's not necessarily indicative of a clean system if you can't see any unwanted search-engine result redirections.

Win32/Medfos causes unwanted traffic and redirection. Please scan your system with our new MSRT release to make sure your system is clean from it.

 

Shawn Wang
MMPC