Win32/Fareit

Installation

This threat might be installed by other malware.

PWS:Win32/Fareit is usually installed to a particular location by other malware, then run from this location.

For example, Backdoor:Win32/Cycbot installs it to %ProgramFiles%/lp/<four hexadecimal digits>/<number>.tmp (like %ProgramFiles%\lp\008a\7.tmp), while Rogue:Win32/FakeScanti installs it to %AppData%\dwme.exe and %temp%\dwme.exe, or %AppData%\svhostu.exe and %temp%\svhostu.exe.

DDoS:Win32/Fareit.gen!A stops previous versions of itself that might already be running, then it copies itself to %AppData%\pny\pnd.exe.

It creates the following registry entry to ensure that this copy runs at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Microsoft PnD"
With data: "%AppData%\pny\pnd.exe"

It then runs the new copy.

Both components create a registry entry like the following:

In subkey: HKCU\Software\WinRAR
Sets value: "HWID"
With data: "<unique identifier>" (for example, {D9CD7060-83A2-46D0-8CEA-5EDF6043EEC7})

Some variants of PWS:Win32/Fareit delete themselves once they have finished running.

Payload

Steals sensitive information

PWS:Win32/Fareit tries to steal stored website passwords from different browsers including Chrome, Firefox, Internet Explorer, and Opera.

It also tries to steal stored account information, like server names, port numbers, login IDs and passwords from these FTP clients or cloud storage programs if these are installed:

• 32bit FTP
• 3D-FTP
• AceFTP
• ALFTP
• Becky!
• BitKinex
• BlazeFTP
• Bromium (Yandex Chrome)
• BulletProof FTP
• ChromePlus
• Chromium
• ClassicFTP
• CoffeeCup FTP
• CoffeeCup Sitemapper (CoffeeCup FTP)
• CoffeeCup Visual Site Designer
• Comodo Dragon
• CoolNovo
• CoreFTP
• CuteFTP
• Cyberduck
• DeluxeFTP
• DirectFTP (FreeFTP)
• Directory Opus
• Dreamweaver
• Easy FTP
• Epic
• ExpanDrive
• FAR Manager
• FastStone Browser
• FastTrackFTP
• FFFTP
• FileZilla
• Firefox
• FireFTP
• FlashFXP
• Fling
• Flock
• FreeFTP
• FreshFTP
• Frigate3 FTP
• FTP Commander
• FTP Control
• FTP Explorer
• FTP Now
• FTP Surfer
• FTP Voyager
• FTPGetter
• FTPInfo
• FTPRush
• FTPShell
• Global Downloader
• GoFTP
• Google Chrome
• IncrediMail
• Internet Explorer
• K-Meleon
• LeapFTP
• LeechFTP
• LinasFTP
• Mozilla Suite Browser
• MyFTP
• NetDrive
• NETFile
• NexusFile
• Nichrome
• Notepad++ (NppFTP)
• NovaFTP
• Odin Secure FTP Expert
• Opera
• Outlook
• Pocomail
• Putty
• Robo-FTP
• RockMelt
• SeaMonkey
• SecureFX
• sherrod FTP
• SmartFTP
• SoftX
• SRWare Iron (Chromium)
• Staff-FTP
• The Bat!
• Thunderbird
• Total Commander
• TurboFTP
• UltraFXP
• WebDrive
• WebSitePublisher
• Windows Live Mail
• Windows Mail
• WinFTP
• WinSCP
• WinZip
• WiseFTP
• WS_FTP
• Xftp
• Yandex.Internet

It then posts all of this information to a remote server. Examples of servers contacted by this threat include:

• 178<removed>7.165.42
• 178<removed>8.243.211
• 178<removed>38.228.86
• 46.<removed>8.225.50
• 46.<removed>.107.13
• 95.<removed>3.35.118
• bin<removed>obing.com
• dom<removed>wsweetnew12312d.ru
• fni<removed>todn.cz.cc
• fok<removed>al.cz.cc
• fuc<removed>ngav.com
• fuc<removed>ngavast.com
• goi<removed>opka.com
• kla<removed>r.co.cc
• onl<removed>etumb.com
• our<removed>tatransfers.com
• piw<removed>yzocyluz.com
• rep<removed>sys-online.com
• ret<removed>domain.com
• saf<removed>di.com
• sce<removed>fub.cz.cc
• sum<removed>evebat.com
• tel<removed>nero.com
• tra<removed>ersdataforme.com
• win<removed>ing.com

Participates in DDoS attacks

DDoS:Win32/Fareit.gen!A contacts a command and control server, which is controlled by a hacker. From this server, it asks your infected PC to participate in DDoS attacks against other servers of its choosing. It then floods the attacked server with multiple HTTP GET or POST requests. It changes the headers of the requests so that each appears to come from a unique referrer (the webpage that the request appears to be linked from), and from multiple web browser versions and languages. This makes these requests more difficult for the attacked server to filter out.

Examples of command and control servers used at the time of this writing include the following:

• 176.<removed>.112.90
• 176.<removed>.112.95
• 178.<removed>.166.154
• 2220<removed>966122.ru
• drea<removed>milos4.ru

For more information, please see the description for DDoS:Win32/Fareit.gen!A elsewhere in the encyclopedia.

Downloads and runs files

Some samples of PWS:Win32/Fareit have been observed downloading an additional file, saving it to the %TEMP% folder, and then running it. At the time of writing, these files were variants of PWS:Win32/Zbot.

If a new version of DDoS:Win32/Fareit.gen!A is available, its command and control server may provide a copy of the updated file. This file is then saved to the %TEMP% folder and run.

Analysis by David Wood