Lavasoft Security Bulletin - February 2014: Under the Dropbox Umbrella

Last month we detected several attempts to download malware using Dropbox as the distribution point. The following are some examples of Dropbox being used for malicious purposes.

1. Rbot/Blazebot (MD5: 9a3490eb3f1e7cc6badde2a680e5975e) downloads and installs fake IM messenger called “skype.exe” (MD5: cca08446df60bace2fdf019c818edec3) detected as Trojan.GenericKD.1523066 by Ad-Aware.
The URL used is:

hxxp://www.v.dropbox.com/s/b5ne62m4z1f3n0e/ms.exe?dl=1

The downloaded application is installed as “skype.exe” in %Windows% folder. It is detected as Trojan.GenericKD.1523066 by Ad-Aware.

2. The polymorphic Fake AV (MD5: c7c1b6f38f5301526c1636d00826094e
and 27 more copies) connects to Dropbox to download a compressed Adobe Flash Player dll.

hxxp://dl-balancer.x.dropbox.com/u/69432480/NPSWF32.z

The downloaded file (MD5: 8e2fae29b76ffc2a137859c605ec974d4c1d) contains the compressed Adobe Flash Player 11.1 library NPSWF32.dll (MD5: de3745a51b7ac7fedc356a83f76c8023). It will be dropped only after patching the first three bytes with the PE signature “MZP” instead of “123”.

3. Another Trojan (MD5: b8402b719d03f467f3b833886810d2e6), detected as Trojan.Generic.8048033 by Ad-Aware, downloads and installs the fake Realtek Audio Driver using the Adobe Download Assistant.
The URLs used are:

hxxp://dl-balancer.x.dropbox.com/s/qh9jjar5l0zxwu2/unzip.exe?dl=1,
hxxp://dl-balancer.x.dropbox.com/s/f5gcg6shw7we4e6/tools.zip?dl=1

The first file, unzip.exe, is a legitimate application used to extract data from another file, tools.zip. Both files are stored in the following folder:

%Documents and Settings%\%current user%\Application Data\Realtek\

The file, “reg.reg”, containing registry settings, is launched using regedit.exe and adds the following run key into the system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HD Audio Driver" = "%WinDir%\explorer.exe %Documents and Settings%\%current user%\Application Data\Realtek\RAVCpl32.exe"

We see that “RAVCpl32.exe” (a.k.a. “zcontrol.exe”, MD5: 57fdb4c4017dcf4a64824c6ac86ca887), detected as Gen:Variant.Symmi.13498 by Ad-Aware, will be started at Windows boot up.
Additionally, the malicious downloader uses the legitimate Adobe Download Assistant (ADA) to initiate the download and installation of Adobe AIR from airdownload.adobe.com. The following window is shown to the user while the infection process takes place.

It is not clear why the Adobe AIR cross-platform runtime system is installed - it could be used to distract the user’s attention away from the malicious downloads and the fake Realtek Audio Driver installation.
As we have seen, Dropbox can be used for malicious purposes such as downloading components used by malware. Well-known software brand names are used to distract the user when downloading and installing supposedly trustworthy applications: brands such as Skype, Realtek and Adobe are used to hide the infection making it difficult to spot the attacker’s malicious intent.