Throughout history, philosophers and scientists have pondered the question of which came first: the chicken or the egg. Over the last week, Security Response has seen an increase in the number of W32.Changeup detections. We know that Changeup can download a bevy of other threats onto a compromised computer. But an unanswered question is how does W32.Changeup compromise a computer in the first place?
While other vendors have indicated the latest round of Changeup has spread through social networking websites, Symantec Security Response has managed to identify one source of the worm.
In recent malicious spam claiming to contain a secure message from banking institutions (Figure 1), users are instructed to download an attached file and execute it. This securedoc.html.zip file is actually an executable file that Symantec detects as Downloader.Ponik.
Figure 1. Downloader.Ponik attached to spam
Once the user executes this file, Downloader.Ponik attempts to contact different URLs in order to locate and download the peer-to-peer version of Trojan.Zbot (also known as Gameover). Trojan.Zbot will then download and execute W32.Changeup.
Figure 2. Steps in Downloader.Ponik attack
Symantec has antivirus and intrusion prevention system signatures in place to protect customers from Ponik, Zbot, and Changeup.
Intrusion Prevention System signatures
In addition to the most current antivirus protection and intrusion prevention signatures, Security Response recommends companies warn employees about downloading attachments from email.
While W32.Changeup spreads to network shares and removable drives, we have also observed it downloading the peer-to-peer Trojan.Zbot as well, so one malware may come before the other interchangeably. It is plausible then that the driving force behind the recent rise in Changeup detections is actually to help distribute peer-to-peer Trojan.Zbot.