Symantec has spotted a recent surge of infections of Trojan.Viknok, which can gain elevated operating system privileges in order to add compromised computers to a botnet. Trojan.Viknok, first observed in April 2013, infects dll files with a malicious payload. Since its initial discovery, the malware has evolved into a sophisticated threat, capable of obtaining elevated operating system privileges in order to infect system files on multiple Windows operating systems, such as the 32 and 64-bit versions of Windows XP, Vista and 7.
Attackers have been observed using Viknok-infected computers to carry out Adclick fraud. While click-fraud activity has been prevalent for years, it still seems to be an effective way for scammers to make money. The scammers behind the current Viknok campaign have gone to a lot of effort to add more victims to their Adclick botnet, helping them make more money in the process.
While the Viknok malware was discovered last year, attackers have been increasingly using the threat in the last six months. In April 2014, Symantec observed a spike in Trojan.Viknok activity along with new reports of Viknok-infected computers playing random audio clips through victims’ speakers. In the first week of May alone, Symantec saw 16,500 unique Viknok infections. The majority of victims are located in the US.
In this blog, we’ll talk about how Viknok manages to alter a system dll to gain elevated privileges. We’ll discuss the techniques the threat uses to infect its targets and how it takes advantage of compromised computers to conduct click-fraud. Finally, we’ll show how many Viknok infections have occurred in recent months and talk about how to protect yourself from this threat.
Viknok’s privilege escalation exploit
Modifying a system dll is no easy task in today’s operating systems. Even if a user is operating from an administrator account, they will not have the permissions to alter core system files, such as rpcss.dll which lets software continue to run each time Windows restarts. So how can Viknok infect these files?
Viknok has an arsenal of techniques at its disposal to let it perform the silent infection of the system file rpcss.dll. These methods consist of:
- Using SeTakeOwnerhipPrivilege to take ownership of system files.
- Taking advantage of Windows’ Dynamic-Link Library Search Order to run a malicious dll inside the System Preparation Tool process.
- Using the Run a legacy CPL elevated tool to run a dll with elevated privileges.
- Exploiting the Microsoft Windows Kernel ‘Win32k.sys’ Local Privilege Escalation Vulnerability (CVE-2013-3660) to carry out a privilege escalation.
The most powerful of these techniques is the exploitation of CVE-2013-3660, which allows the threat to run code in kernel mode.
Figure 1. The exploit’s payload code
The code shown in the previous image shows how the threat is able to assign itself the system process’ primary access token, giving the malware the same privileges as the user with the highest administrative rights.
How Viknok infects computers
Depending on the privileges used to initially execute Viknok, the threat may try one or more of the previously mentioned techniques. The threat’s purpose is to infect the file rpcss.dll, so that the malicious code is executed every time Windows starts. The infection of this file merely provides a loader for the core of the malware itself, which is usually stored in an encrypted file in the %System% folder.
We tested several scenarios to verify Viknok’s infection capabilities, which have been summarized in the following image.
Figure 2. Some common Viknok infection scenarios
There are several conditions that may affect the outcome of the infection process, such as if the threat is manually downloaded and run, if it is dropped through an exploit or if it is dropped by the browser or a browser plugin. The previous image does not exhaust all possibilities; however it shows configurations that are commonly found in user or corporate environments.
In many cases, the infection process is completely stealthy; the threat does not show any warning to the user. The malware is also difficult to detect since it does not show any suspicious running process, nor does it infect any of the standard load points. In some cases, the threat needs to show the User Account Control (UAC) prompt to the user in order to obtain the elevation of privileges. If the user does not grant the permission, the infection will fail. However, the threat uses system components to try and load its code for privilege elevation. As a result, the UAC prompt will look like it’s a part of normal system activity, as shown in the following image.
Figure 3. Example of UAC prompt
Payload & click-fraud activity
As mentioned previously, attackers are currently using Viknok-infected computers to perform click-fraud activity. Attackers carry out this activity using malware detected by Symantec as Trojan.Vikadclick. Once Vikadclick is loaded by the Viknok-infected rpcss.dll file, it will periodically download commands from command-and-control (C&C) servers under the attackers’ control. These commands force the compromised computer to perform network activity related to Adclick fraud.
As a result of Trojan.Viknok infections and the related Adclick fraud, unknowing victims have been experiencing random audio playback through their compromised computers. This is believed to be caused by Trojan.Vikadclick surreptitiously visiting Web pages in the background that contain streaming audio content. Our analysis has shown that Trojan.Vikadclick’s Adclick fraud content includes car insurance for teenagers, tickets to Paris and bulk domain name registration, to name a few.
Symantec telemetry shows that Viknok activity has increased considerably in the last six months, with Symantec detecting and remediating over 22,000 unique infections in April 2014.
Figure 4. Growth in Viknok detections in the last 6 months.
From May 1 to May 6, Symantec telemetry shows that we have detected over 16,500 unique Viknok infections. The majority of the infections have been observed in the US. The number of Viknok detections for May 2014 is on track to reach the highest amount of infections of this malware recorded to date.
Figure 5. Heatmap for Viknok detections in May 2014 to date.
Symantec protects users against Viknok under the following detection names:
- Trojan.Viknok!inf (repairable)
- Trojan.Viknok.B!inf (non-repairable)
- Trojan.Viknok.C!inf (repairable)
- W64.Viknok!inf (repairable)
- W32.Mezit!inf (non-repairable)
The non-repairable infections are related to copies of legitimate infected dlls, which can be safely deleted without affecting the computer.
Intrusion Prevention Signatures
For the best possible protection, Symantec customers should use the latest Symantec technologies incorporated into our consumer and enterprise solutions. Finally, always keep computers up to date with the latest virus definitions and patches.
While still a relatively newcomer on the malware threat landscape, Trojan.Viknok has shown its ability to evolve and implement sophisticated infection techniques to circumvent operating system access control mechanisms. Its use of Adclick fraud to monetize the botnet shows that this form of fraud is still a popular mean of income for malware authors. The continued spike in Trojan.Viknok activity suggests that this threat looks to become a common player on the threat landscape, so Symantec will continue to monitor it closely. Symantec is continuing to investigate how this threat arrived on victims’ computers.