The Trojan Vundo story

In this blog, we normally analyze nasty Trojans or other nasty stuff that is – in almost all cases – so new that very few Antivirus Engines can pick it up and protect the user (see e.g. the post about the yaludle/Silentbanker Trojan).

However, today the story is about a typical internet user, about Joe the Plumber, about the Hockey-Mum, about an old Trojan and about the reality out there in the world wide web.

Paula (not her real name) had AVG Free 8 and SUPERAntispyware installed and both components were up-to-date, however she got infected with a Trojan of the limbo family that stole her login names and passwords and only after 9 days it got removed partly by SUPERAntispyware and after 10 days completely by AVG. 10 days!!!

Two months later, she got infected again, this time with the Vundo Trojan even though she has AVG8 & SUPERAntispyware installed. Most probably she got infected through a vulnerability, through a compromised website and/or she got tricked into downloading it deliberately. Unfortunately we have seen this way too often.

But the most interesting part for us was the behavior of the user (Paula) and the current Security Software. For the first 7 days since infection, she didn’t notice anything. No alerts from AVG, however she noticed that she got to funny websites and got offered to install Antivirus 360!!! After approx 7 days, she got a message box from AVG saying that there are some DLL’s on her computer with the Vundo Trojan. However AVG couldn’t remove the DLL’s (as they were protected with rootkit-techniques). Now she knew her system is compromised but her Antivirus failed to secure her!!!

The issue here is that the lay person has no idea if they are protected or not and Paula was not protected.
What now happened is that whenever she opened a web browser, the Trojan would open more windows with Advertising, Adware, Spyware and other nasty stuff. Quite regularly she got alerted that her computer is infected and she would need to download XP Antivirus or Antivirus 360 to fix it. (What a great marketing as these websites know for sure that the machine is compromised ;-). Luckily she knew that she had already an Antivirus Engine running and didn’t download one of those rogue Antivirus Engines……even though this pop up sounded like a familiar named Antivirus Engine she had heard of before.

We thought this is a good field test and installed Norton Internet Security 2009 and after it forced us to remove AVG (apparently Symantec wants to rule the desktop!), it did a quick scan and alerted us that the computer is infected with Trojan Vundo. The Norton User Interface was actually very nice as it didn’t list all the infected files, it realized that they all belong to Vundo and only showed one line. Impressed with this, we found a button “Fix this” and thought we give it a try.

We got a nice green alert saying that the threat has been removed successfully and the computer is safe now. We thought that was really easy and even a typical internet user may be able to do this – until we restarted the machine.
The startup was uneventful and Norton did not alert us of anything. However when we used the webbrowser, other windows with adware/spyware appeared again!!! When we did a Quickscan in Norton 2009, the Trojan Vundo was back!!! A “Fix this” removed it (again), making us believe it is gone, but it will always re-appear……every time the user restarts the machine.

So in the end, we AVG Free 8 and SUPERAntispyware didn’t stop the Trojan from installing and doing its nasty work. Norton Internet Security 2009 provided a much better protection, however failed to remove the Trojan completely causing the potential ongoing threat to the user. And this for a Trojan that is around for more than 4 years (in various mutations)!!!! We as a security software industry can’t be serious. There has to be a better way. How can a typical user even think that they are protected by traditional Antivirus Engines?

We had to manually remove all entries in the various startup sections of the system as well as one BHO inside the Internet Explorer to successfully get rid of Vundo. Now we could remove the files with specialized tools (to counter the rootkit-component) to have a clean machine again :-)

Even though this Trojan was technically not very challenging or advanced, we learned a valuable lesson.

Some technical details

The Trojan consisted of three DLL’s. No executables were involved – this was clearly done to avoid detection from security tools that check the running processes. Two DLL’s were started during system startup with two entries into the HKLM…Run section with rundll32.exe (which is a totally legitimate Microsoft application) and one DLL was registered as a Browser-Helper-Object (BHO) in Internet Explorer.

Interestingly all three DLL’s were NOT visible in the Windows Explorer as they used user-mode rootkit techniques to avoid detection.

All three components checked the presence of each other, meaning that if you only remove the BHO but not the other DLL’s, the BHO will be automatically re-created. And if you remove the two startup DLLS’s but not the BHO, the two startup DLL’s will be recreated automatically as well.

Virustotal Detection is unfortunately again very low!

BTW: One of the offered rogue Antivirus Engines had the filename InstallAVg_770522170802.exe! Sounds familiar, doesn’t it?


A quick note on TrustDefender: Even though Vundo does not try to steal confidential information like username/passwords, TrustDefender picked up the Vundo DLL’s from the first second with our whitelisting approach and the DLL’s were automatically removed from memory on-the-fly. Our rootkit scanner detected them without any problems. All TrustDefender users were protected, especially for any enterprises (Online businesses) that use the TrustDefender system, for all Financial Institutions that are part of our Financial Trust Network and for all self-defined websites.

0 thoughts on “The Trojan Vundo story”

  1. When I was using the Internet explorer very often my computer used to infect all sorts of viruses, malwares, adwares and other wares etc etc as described in this report;However after I have switched over to Firefox this virus problem is very rare and many Internet explorer usurers not aware of this fact.
    More over most of the ordinary and lay people like me who are new comers to the net knows only Internet explorer and not aware of the user friendly Firefox browser due to its silent and free service to human beings unlike money oriented Internet explorer

  2. I was just reading what Balakrishnan had to say, and I am surprised that although I use Firefox and only Firefox, I just found out I was infected with the Trojan.Vundo. I only found out when i ran Malwarebytes. It showed me all of the infections from this virus, and supposedly eliminated them. As for protection, I have Avast Pro. It did not pick up on any of these infections. I also run Kaspersky at least once a week (updated of course), and it did not pick up the infection. I also have Adware Pro, and it did not pick up the infection. Only Malwarebytes did. Now, I am wondering if I am more infected than I thought. I am not sure what program I can run, that will actually find all of the infected files. I would appreciate any information that I can get.

  3. I would vouch for kaspersky internet security, it runs a lot faster than Norton.
    An anti virus kit isnt a foolproof solution, people need to be aware of the threats and be cautious before opening links and emails.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>