While RSA FraudAction Research Labs does not usually focus on pure-play spyware, which is solely interested in users’ keyword searches and browsing habits, over the past year, the Lab has repeatedly detected and handled strains of malware called the eDead Trojan. This highly-targeted spyware code was developed for the sole purpose of collecting keyword search combinations entered by infected victims who visit online banking, retail, webmail and web portal websites, primarily in Japan and Korea.
eDead only keeps tabs on which targeted site is visited, and which keywords are entered. The spyware appears to be a clandestine information-gathering operation that is highly suggestive of black hat SEO manipulation at worst, and consumer-behavior intel-gathering at best. And although not very complex, eDead surprisingly comes with a configuration file and a very elaborate trigger list. In addition to distinguishing between his numerous infection campaigns, the spyware’s coder uses a different predefined user agent string for each campaign to match the campaign’s drop-point domain. For example, the user agent “NewToolbar” would be used (in bot-to-drop point communications) together with the drop point “hxxp://newtoolbar.co.kr.”
Potential Uses for eDead
A botmaster using eDead may be collecting the most pervasive keywords entered by consumers in an effort to increase the future search-engine ranking of malicious or malware-serving websites, thereby maximizing user web traffic lured into poisoned or bogus websites containing Trojan infection points, for example. In addition, socially engineered phishing sites distributed via spam email or online ads for non-existent services may also leverage this type of data to increase their ‘success’ rate.
Alternatively, an online advertising or marketing company may have commissioned the spyware code in an attempt to enhance its knowledge-base of the most pervasive keyword-search combinations. And seemingly, what better way to collect real time, up-to-date information on your local customer base, if not from leading, high-profile websites that are accessed by the exact target audience you cater to?
One more hypothetical use of the eDead Trojan could be to gather and sell this type of information to any third party that is willing and able to pay for it, be it botmasters, ad agencies, or anyone else interested in such data as related to consumers in Korea and Japan. Incidentally, eDead’s coders appear to be of Korean nationality, as all the servers and domains hosting the Trojan’s communication points are Korean-based. As the URL trigger list appearing in different eDead campaigns remains virtually identical, it currently seems to be operated by a single perpetrator or gang.
Rudimentary Stealth Mechanisms
Along with its grey market value to potential buyers, eDead installs and deploys itself like any other malicious code, manipulating the Windows Registry and writing files to locations it sees fit – and all without opening any type of standard installation GUI, or requesting the user’s permission to install itself.
eDead is a BHO-based code, meaning that it functions like various other Browser Helper Object Microsoft plug-ins that add functionality to the Internet Explorer web browser. This has two main implications: First, that eDead’s grip on an infected system is only at the browser level, and second, that it can only infect users who browse the web with Internet Explorer. (In its current form, the Trojan won’t function in any other browser).
The BHO functionality is also one of two main attributes that enable eDead to maintain a low profile. As a BHO, eDead can stay hidden from software-contextual firewalls, which do not usually prevent Internet Explorer from receiving and sending web traffic via a BHO.
Also, as a polymorphic Trojan, eDead can retain its functionality while varying its MD5 signature, and thus evade detection by many signature-based AV engines.
eDead installs a visible browser toolbar on infected systems, though its exact functionality currently remains unclear (Figure 1). The browser toolbar may be how online users get infected in the first place, believing it to be a legitimate add-on. Theoretically, the toolbar may also perform additional monitoring activities, or be used to record keyword searches performed outside the list of targeted websites. And although the code does not have any password-stealing functionality, and does not intercept general HTTP/HTTPS communications, it does have a long list of bank triggers. Combined with the long roster of update points eDead deploys to receive updates concerning its communication patterns, this spyware could hypothetically be converted into a banking-Trojan quite easily by adding form-grabbing functionality and sending its bots new configuration updates.
Although eDead does not feature novel technical abilities, it does make the world of geo-targeted spyware more tangible than ever. And whereas the Lab often reports of legitimate business models and tools being exploited for nefarious operations, this spyware is an example of a nefarious operation potentially used for legitimate purposes – online marketing.
Figure 1: Details of Sample Toolbar Installed by eDead Trojan
 MD5 1848c29436dabeedf73358709e68d748