Flattr this!

Symantec has detected a new Trojan horse program that shows users fake advertisements when viewing web-pages. Trojan uses an extension of the protocol for sending email SPF (Sender Policy Framework) for instructions from intruders. This technique allows the malware to remain unnoticed by the victim’s computer.

SPF protocol trojan

The main objective of the Trojan called Spachanel, is the introduction of malicious Javascript script to each web-page that is opened in the browser of the user. Said an expert from Symantec Kattsuki Takashi (Takashi Katsuki), in his blog.

Malicious program introduces elements of HTML-code, which in turn loads Javascript files from a remote URL-address. Javascript script code displays fake advertisements that appear in pop-up windows, and after each time the user has attackers generate some income.

The most interesting aspect of the malware is the way it gets updated URL-address of the attackers.

Trojan periodically generates a domain name in accordance with a specified algorithm and looking for the right SPF-protocol. Scammers know in advance exactly what domain will be generated, they record it and set up for him with SPF IP-addresses and hosts that a malicious program could create new URL-address.

Note that the policy of using SPF-protocol must verify the authenticity of e-mails. However, in the case of the Trojan Spachanel, this protocol generates a list of fake hosts. This allows attackers to hide malicious traffic from firewalls and other software that ensures security of computer systems and blocking direct connections to known malicious C & C-servers.

“In some cases, certain domains are blocked by the local DNS-Server, but detected a Trojan creates such domain names that are rarely filtered” – said Kattsuki.