Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    September 2013
    S M T W T F S
    « Aug    
    1234567
    891011121314
    15161718192021
    22232425262728
    2930  
    • About Us
    TrendLabs Security Intelligence Blog > The Mysterious Mevade Malware

    Since August 19, 2013, there has been remarkable growth in the number of Tor users, which caused much speculation. Was August 19 the starting date to run en masse from the NSA’s PRISM project? Were European internet users downloading the latest American cable TV series via Tor only, thus overcoming blockades of sites like the Pirate Bay by European ISPs? Neither was very likely, so some thought a botnet abusing the Tor network to hide its command and control server must be the reason of the sudden increase of Tor users.

    Yesterday, Fox-IT published evidence for this plausible explanation. The Mevade malware family downloaded a Tor component, possibly as a backup mechanism for its C&C communications. (We will release a second blog post describing in more detail the behavior of the Mevade variants we have encountered.)

    Feedback provided by the Smart Protection Network shows that the Mevade malware was, indeed, downloading a Tor module in the last weeks of August and early September. Tor can be used by bad actors to hide their C&C servers, and taking down a Tor hidden service is virtually impossible.

    The actors themselves, however, have been a bit less careful about hiding their identities. They operate from Kharkov, Ukraine and Israel and have been active since at least 2010. One of the main actors is known as “Scorpion”. Another actor uses the nickname “Dekadent”. Together, they are part of a well organized and probably well financed cybercrime gang.

    We strongly associate these actors with installations of adware and hijacking search results. Therefore, we suspect that one of the ways the Mevade botnet is monetized is by installing adware and toolbars onto affected systems. In fact, we have seen Mevade downloading adware. Adware and toolbars might seem less harmful than e.g. data stealing malware, but the reality is that there is a lot of money to be made in fraudulent advertising.

    We would also like to point out that Mevade also has a backdoor component and communicates over SSH to remote hosts. Therefore, the risk for data theft is still very high.





    Share this article
    		 Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon



    This entry was posted on Thursday, September 5th, 2013 at 6:45 pm and is filed under Bad Sites, Hacked Sites, Malware . You can leave a response, or trackback from your own site.





     

    Other Trend Micro blogs
    CTO Insights
    CounterMeasures Blog
    Cloud Security Blog
    Consumerization Blog
    Fearless Web
    Internet Safety for Kids & Families
    Simply Security News
    Trend Micro Blog [German]
    TrendLabs Security Blog [Japan]
    Cloud Security APAC
    Trend Micro Free Tools Threat Encyclopedia Trend Micro Videos
    Do you have a product-related question? Visit our eSupport website.

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice