File Infector PE_EXPIRO Returns With New Routines

Written by: Ryan Angelo Certeza

PE_EXPIRO is a family of file infector malware first detected in 2010. In July 11, 2013, we detected a notable rise in PE_EXPIRO infections, most of which are coming from the US.While still faithful to its roots as a file infector, the new strains sport an information theft routine not commonly seen with this type of malware. They have also been found as the payload of a Styx exploit kit attack that may be targeted towards organizations and/or businesses.

What does PE_EXPIRO do to an infected system?

PE_EXPIRO variants scan infected systems for legitimate .EXE files. It then inserts malicious code into the files found, corrupting them. Infected files are detected as PE_EXPIRO.XJ, and sport the same routines as the mother infector file. They can also infect the system's services.

What's new about this latest variant of PE_EXPIRO?

The latest variants, detected as PE_EXPIRO.XJ-O, PE_EXPIRO.QW-O, and PE64-EXPIRO-O for 64-bit systems, not only has the file infection routines usually associated with the malware family but also an information theft routine that steals FTP client login credentials, specifically the FileZilla FTP client. It also steals user and system information.

How PE_EXPIRO enters a system is also new. Instead of infecting systems by way of accidental file sharing, this new variant arrives via the Styx Exploit Kit. Styx is notorious for being able to use multiple exploit pages to deliver its payload, with those pages targeting different vulnerabilities. Also, Styx stores and accesses data across multiple IFRAMES, eschewing the usual exploit kit approach of simply storing the data in the same HTML file.

The vulnerabilities involved exist in Java, as well as Adobe Reader and Acrobat. Some of the exploits targeting Java were detected as JAVA_EXPLOIT.ZC, which targeted CVE-2013-1493. The PDF exploit was detected as TROJ_PIDIEF.JXM (which targeted the old Adober Reader/Acrobat vulnerability CVE-2010-0188).

Why are these variants of PE_EXPIRO notable?

This latest variant of PE_EXPIRO is notable because of its new routine that steals a specific kind of information, mainly FTP client credentials. This can be construed as an attack to compromise websites, as FTP clients are mainly designed to handle content stored in file servers.

The fact that an exploit kit is used in its deployment, along with how some of the vulnerabilities exploited are old ones, also give credence to the theory that this may have been an attack targeting businesses and organizations. This is because due to the nature of a business, one or two systems in the business network may be left updated, and thus be vulnerable to the exploit.

The file infection routines of PE_EXPIRO may also cause data loss /loss of an affected machine’s ability to run programs properly.

What should users do if they suspect that their systems are infected with PE_EXPIRO?

Besides running a scan with their security solutions, users should also change the passwords of their FTP servers.

Are Trend Micro customers protected from this threat?

Yes. All malware in this attack are actively detected and removed by Trend Micro products and the Trend Micro™ Smart Protection Network. Trend Micro Deep Security™ also immediately blocks the malicious Java and PDF files associated in this attack.

Users are also advised to keep their systems regularly patched and updated, especially software from Java and Adobe.