Back 10June

RpcTonzil Trojan Has Attacked at Least 50,000 of VK Users' Computers

Cezurity, a Russian company that develops protection against malware and hacker attacks, said that the pattern of the trojan infection in social networks is becoming an epidemic.

According to the Cezurity Virus Lab, today at least 50 000 VK users have been affected by this malware. It is confirmed by the analysis of data retrieved from Cezurity Cloud - a next generation cloud-based virus protection technology, which can detect similar threats by identifying abnormal files. Most antivirus products can detect only some modifications of Trojan.RpcTonzil. Computers running 32-bit and 64-bit Windows operating systems could be infected.

Hence, the intruder takes advantage of their status to access your social media account, spam emails from your hacked account, steal your private data and send you scam text messages.

Trojan.RpcTonzil modifies computer queries sent to the DNS server. Thus, by singing in at their service own web page, the user is directed to the phishing website crafted by attackers that imitates the look or looks just the same as the VK actual site, where the user’s account is reported to have been hacked. Next thing the user is asked to do by fraudsters is create a new password and verify their cell phone number associated with their account. The user might be deceived by the web address because it would appear correct and give the impression that this is the actual VK website. The trojan also blocks access to most antivirus company sites and Microsoft Update servers. Therefore, antivirus laboratories do not often have enough data to monitor the spread of infections to other websites. Different versions of the trojan virus have already been localized and detected by antivirus companies since this March. However, the RpcTonzil trojan virus continues to spread across the Internet, and, further, most anti-virus software either completely fails to spot this malware or detects only some modifications of it.

What makes difficult to identify all modifications of RpcTonzil is that this malware uses fairly sophisticated virus concealment techniques. The malware has different tactics to find its way onto the user’s computer. Sometimes, an infection can be prevented by antivirus embedded behavior-based security mechanisms.

"Once the computer is infected this trojan malware can exist only in its encrypted form. The decoding and startup are executed by using a slightly modified system library rpcss.dll. This trojan infection is similar to the EPO (Entry Point Obfuscation). Most antivirus programs are unable to detect an infection done in this way, that is they might mistakenly detect a trojan like that by its behavior alone without proper recognition. What makes detection process more complicated is that a system library fragment seems to be provisional and arbitrary", - says Kirill Presnyakov, Lead Virus Analyst in Cezurity.

The task of malware detection and removal becomes even more complicated when it targeted at certain geographic locations. The thing is that it causes damage only to users of Russian social networks. "This trojan program is curious not as an example of infection strategy (the industry has a long history of similar methods), but rather is a good illustration of the situation that exists in the antivirus industry. The program has been out there for three months now spreading on and on, however, most anti-virus products can neither detect it at all nor they are able to recover your PC from a virus infection.", - says Aleksey Chaley, General Director of Cezurity.

The company recommends that users check their computers with the free Cezurity Antivirus Scanner, which is responsive to and recognizes every modification of Trojan RpcTonzil.