Yesterday, the cybercriminals behind the W32.Changeup worm were dealt a significant blow when a large chunk of its operational infrastructure was taken out of action during what has been dubbed Operation Source. The operation was a joint effort between law enforcement agencies, such as Europol and the FBI, and security firms, such as Intel Security and Kaspersky Lab.
Symantec’s extensive coverage of the Changeup worm, which includes a vast array of antivirus and intrusion prevention detections as well as detailed research on the threat, is evidence in itself of just how much of a problem this malware was during the height of its reign.
The Changeup worm (also known as Beebone, Vobfus, or VBNA) first arrived on the scene in 2009 and quickly made a name for itself. Changeup is a polymorphic worm that initially only spread through removable and mapped drives using the Autorun feature in Windows to execute automatically. The worm is written in Visual Basic (VB) which on the one hand could be considered a limiting factor as a specific set of skills are required to implement complex behavior in malware programmed in VB; however, the flipside to that is it can also take a lot more time and effort from security researchers when it comes to analysis.
Changeup first got itself in the spotlight about a year after it first appeared when it began exploiting the Microsoft Windows Shortcut 'LNK' Files Automatic File Execution Vulnerability (CVE-2010-2568) to spread. CVE-2010-2568 allowed a computer to become infected if a user merely viewed the contents of a folder which included a malicious .lnk, or shortcut. This was due to Windows failing to properly handle shortcut files, which allowed files to execute automatically when they were viewed. This meant that Changeup didn’t have to just rely on the Autorun feature anymore. The worm would later employ file-sharing applications in its efforts to spread to as many computers as possible.
Although the worm’s main function is primarily the distribution of other threats, it’s the selection of malware that Changeup downloads that makes it a worm to be reckoned with. As well as downloading several misleading applications, Changeup has been known to download the following threats:
Since many of these threats open up a back door, this gives an attacker the ability to carry out a multitude of malicious activities on the compromised computer.
How many infections today?
Although Changeup activity has been in decline in recent times, our telemetry shows that detections dropped from over 55,000 detections a month at the beginning of 2014 to just under 30,000 a year later. These statistics show why efforts to disrupt a malware delivery network such as this should continue.
Figure 1. Changeup detections over time
What regions are impacted?
The United States is home to 11 percent of Changeup infections, followed very closely by South Africa with just over ten percent. Our data shows that other countries also have significant detection rates so it would seem that Changeup is not fussy in regards to its targets. Since one of the ways Changeup spreads is through computers vulnerable to CVE-2010-2568, countries with a higher number of unpatched computers are more likely to have a higher number of Changeup infections.
Figure 2. Top countries targeted by Changeup
Why these takedown operations still matter?
Despite the lack of arrests, the takedown of criminal infrastructure is still important so that cybercriminals cannot act with impunity. When asked what he thinks Operation Source means for the criminals behind the Changeup worm, Symantec’s security expert Stephen Doherty said: “Since it emerged in 2009, Changeup has become one of the longest running malware delivery networks observed to date. An established player, Changeup has infected millions of machines worldwide and this takedown is another blow to cybercriminals, both to the operators and those who leverage this network for malware distribution.”
Collaborations between law enforcement and security vendors are vitally important in the battle against cybercrime and any successful operation can be considered a victory against the cybercriminals behind these threats. Symantec has worked closely with law enforcement agencies and other vendors in the past to disrupt cybercriminal operations, including last year’s Blackshades (W32.Shadesrat) and Gameover Zeus (Trojan.Zbot) takedowns, among others.
As well as multiple antivirus and intrusion prevention detections in place to protect customers from the Changeup worm and the threats it downloads, users can also use the free Norton Power Eraser tool to remove Changeup from compromised computers.