One of our readers, Jerry Askew, sent us an interesting downloader today. The malware was spammed in e-mail (of course) and it was an executable file disguised as a jpeg, inside a ZIP archive.
Various AV tools at that point in time did not detect this particular sample, so we decided to spend some time analyzing what it does.

Downloader after downloader

The sample is a downloader, which is typical for a vast majority of malware that is spammed today. The downloader connects to a web site and downloads the second stage payload, which is another downloader.

This second stage downloader downloads and installs a small zoo of malware. Besides the usual culprits, such as keyloggers and BHOs (Browser Helper Objects), what's interesting is that it downloads multiple versions of the same Trojan. Brief analysis of these files showed that they all behave absolutely the same, but look different and have different checksums. When we tested them against AV programs, they had different detection depending on the file scanned (although some AV programs detected all of them as being the same family, but different minor versions). Why the authors decided to do this is not clear, but I suspect that they were just trying to increase their chance of getting the malware onto a machine ? even if your AV program detected and blocked couple of samples, there might be one which is not detected.

After this third stage executable has been downloaded, it will turn off the host based firewall that comes with Windows XP SP2. It actually completely disables the Windows Security Center Service (wscsvc).

Malware then connects to its control and command center, which is a plain web server this time (no IRC). The web server produces a nice HTML page which has three different forms: ftpstaticdata, softstaticdata and softvardata. These will instruct malware to download additional modules. Of special interest was the ftpstaticdata section. This section contained an FTP server IP address and a username/password pair that malware used to upload keylogger logs.

Google Maps at your service

Now comes the interesting part. The authors actually went a step further. Before uploading the data to the FTP server, the malware connects to detectlocation.ru, which seems to be another compromised site setup just for this, and executes a perl script on that site. The perl script takes the IP address of the infected machine as input (this is passed as a parameter in the URL) and detects the geographical location of the IP address. What's interesting is that it even passes back valid coordinates that can be used in Google Maps!
Now when uploading data captured by the keylogger malware also automatically sorts it into directories, depending on the location of the IP address.

While at this moment malware only seems to be capturing information on infected machines, it will be interesting to monitor it to see whether it is related to the latest spam increase.

Lessons learned

In any case, it looks like malware authors got a little bit creative when they decided to use Google Maps. Also, the huge number of installed Trojans and other malicious programs once again show that when you encounter an infection like this one, reinstallation is the only option.