RSA Admin

Detecting New 50-Troting Shell Hook Malware

Blog Post created by RSA Admin Employee on Nov 8, 2013

We detected a new variant of malware that engages in search engine abuse to elevate search results for specific topics in popular search engines.  Here is the summary of the malware over at VirusTotal.  At the time of this writing, only 3 AV companies can detect this variant, and the descriptions-  specifically Zbot and Winlock, do not appear to be accurate based on how the malware behaves in our sandbox.


We are calling this "50-Troting Shell Hook" because the first download this malware performs is a DLL file from, and installs a command shell hook onto the system.


What makes this variant unique is that it is easily detected with an application rule in Security Analytics.  First, let's take a look at the pattern that we detected that prompted our investigation:



There were several beacon checkins to servers highlighted above, each connecting to the Search filename in the root directory followed by a specific query string that is 35 characters in length beginning with "id=".


The following hosts participate in the beacon activity, and each has been added to the RSA FirstWatch feed of known C2 Domains:,,,,,,,,,,,,,,,,,,,,,,


To accurately flag this activity in your environment, you can try to implement the following app rule:


directory='/' && filename='search' && query exists && query length 35 && query begins "id="


Name the Rule "Search File Malware Beaconing" and alert it into your Soc Alerts key or Risk.Warning.


The same app rule string can also be used to run a custom query against your existing collection, to see if there has been any activity in the past.  This specific malware was first seen back on October 30, so you won't need to look that far back in the past.  But this specific search might be slow since it invokes a "begins with" clause at the end.  While that will work okay with an app rule, you might find that the search will go faster if you drop that last && query begins "id="


Simply look for any queries that begin with the "id=" and you will know you have some hits.


For those interested, I've included the PCAP of this specific malware run.  You can use it to test your rules.  The large size is due to the fact that this malware automatically streams several videos from video providers over port 1935, as it also engages in video ranking abuse.


Happy Hunting!