Installation
Win32/Rotbrow might be installed on your PC by other software. For example, we have seen Rotbrow installed alongside the clean program Babylon Toolbar by a variant of Win32/Brantall.
Win32/Rotbrow installs itself in a folder under <commonappdata>, for example:
The family consists of multiple components, whose file names vary from one version to another. We have seen variants use the following file names for the main component:
- BitGuard.exe
- BrowserProtect.exe
- BitGuard.dll
- BrowserProtect.dll
- bProtect.exe
- Protector.dll
- BrowseMngr.dll
- BrowserDefender.dll
It might install itself as a Firefox extension with one of the following names:
- "bProtector", bprotector.xpi
- "Browser Manager", Babylonmngr.xpi
In Chrome, it might use these names:
- "BrowserProtect", BrowserProtect.crx
- “BrowserProtect”, mngr.crx
- “Settings Protector”, browsemngr.crx
- “Settings Protector”, spext.crx
In Internet Explorer, it might use this name:
- "ProtectorBHO Class", kerberos_bho.dll
You might see it in the Manage Add-ons window in Internet Explorer:
It installs itself as a service so that it runs each time you start your PC.
It might use the service name bProtector with the description "Your browser protector service".
It might also create a scheduled task that runs once every minute to start this service if it has stopped.
Payload
Installs other files, including malware
Many instances of the main Win32/Rotbrow executable contain another executable in an encrypted resource, which they decrypt to the %TEMP% folder, for example %TEMP%\setup_fsu_cid.exe.
The trojan then runs setup_fsu_cid.exe, which is an installer for a program called FileScout.
In many cases, this installer also contains Win32/Sefnit, which it installs silently alongside FileScout.
Additional information
Win32/Rotbrow hooks a number of APIs to:
- Prevent itself from being stopped or removed
- Prevent the "MindSpark Toolbar Platform IE Search Box Protector" from hooking functions in the current process
- Prevent OLE objects matching to a product named "SweetPacks" from being loaded
- Monitor registry and file system changes to prevent certain registry keys and files from being modified
- Trigger the JavaScript engine hooking behavior described below
Hooks JavaScript library loading events
It hooks library loading events to trigger the JavaScript-hooking engine by hooking the following exports of mozjs.dll:
- "?Compile@JS@@YAPAUJSScript@@PAUJSContext@@V?$Handle@PAUJSObject@@"
- "?JS_DecodeScript@@YAPAUJSScript@@PAUJSContext@@PBXIPAUJSPrincipal"
It does several JavaScript replacements that specifically disable the following programs:
- Funmoods
- AVG Safeguard Toolbar
Your browser startup homepage is modified to refer to a different variable by replacing browser.startup.homepage with browser.startup.homepage.CT.
JavaScript replacements also take over the new tab page in Firefox.
Blacklists URLs
The trojan also supports the blacklisting and whitelisting of URLs and domains based on a remote configuration.
Analysis by Hamish O'Dea