TROJ_WERDLOD infects users via spam mails with an attached .RTF document. The document claims to be an invoice or bill from an online shopping site. Once the .RTF file is opened, the user is instructed to double-click the icon in the document leading to TROJ_WERDLOD being executed.
According to TrendLabs, this threat changes two settings that allows information theft at the network level. This has the advantage of not requiring a reboot or any memory-resident processes on the affected systems.
One of the two settings modified is the system’s proxy settings. This routes some of the user’s Internet traffic to a proxy controlled by the attacker. The second is the addition of a malicious root certificate to the system’s trusted root store.
This allows malicious site certificates added in man-in-the-middle attacks to be used without triggering alerts or error messages.
This technique of a malicious proxy combined with an added root certificate was also used in Operation Emmental. This attack indicates that the technique has now reached Japan.
The list of targeted sites is contained within the downloaded proxy.pac file. Traffic going to any of these sites will be routed through the malicious proxy.
The malicious proxy performs a MITM attack against the secure connection. Normally, this would lead to SSL errors, as the fake SSL certificate used by the proxy would not be seen as valid.
However, because of the added certificate in the root store, no error messages will be seen. The attacker can then intercept any credentials sent to the banking site; alternately the attacker might instead show a fake website and ask the user to enter their credentials.
SSL/TLS should be able to avoid MITM attacks, but in this case, the presence of the malicious root certificate obliterates the trust model. This leaves the user at risk of attack.
