PALEVO Worm Leads to Info Theft, DDoS attacks

Written by: Oscar Abendan

What are PALEVO malware?

The PALEVO family of worms has been around since the second quarter of 2009. It only gained significant press coverage, however, when some of the people behind the Mariposa botnet were arrested on February 2010. According to reports, this botnet was responsible for targeting millions of corporate entities worldwide, including Fortune 1000 companies.

WORM_PALEVO is the Mariposa botnet’s malware component. PALEVO malware family are basically downloaders but can perform several other malicious routines such as stealing login credentials, other online-banking-related information, as well as corporate and personal data. It can also initiate distributed denial-of-service (DDoS) attacks.

PALEVO malware typically act as bot toolkits with modularized functions and are sold in the underground market. This has the following functions:


Price (EUR)

Basic Flooder


Slowloris Flooder


USB Spreader


MSN Spreader




Reverse Socks Simple


Post Data Grabber


Connect Hook


Adware Simple


Cookie Stuffer



In terms of file structure, PALEVO worms use different encryption techniques to conceal their main executable files.

Despite the incarceration of the people behind the Mariposa botnet, TrendLabsSM engineers recently observed several PAELVO-related activities in the wild that we blogged about in the following entries:

PALEVO variants arrive on users’ systems via several infection vectors. They may, for instance, get PALEVO variants via peer-to-peer (P2P) file-sharing applications like Kazaa, BearShare, iMesh, Shareaza, and Emule. Some variants may also arrive via removable drives and via instant-messaging (IM) applications like MSN Messenger.

What do PALEVO variants do?

PALEVO malware usually drop copies of themselves into specific system folders with file attributes usually set to Hidden, Read Onlyand System.

Typical of a worm, PALEVO malware may propagate via removal drives. These can be instructed by malicious users who control botnets’ command-and-control (C&C) servers to spread via MSN Messenger and other specific P2P applications.

PALEVO malware connect to specific sites to send and receive commands from C&C servers that are under the attackers’ control. Depending on the modules/features attackers bought, these may perform several tasks on infected systems, including downloading files, initiating IM applications, propagating via P2P sites and via removable drives, harvesting passwords from specific Web browsers, performing UDP and TCP flooding, scanning ports, and pushing adware to other infected systems.

PALEVO malware steal browser passwords, particularly for Internet Explorer (IE) and Mozilla Firefox. These may include passwords for personal (e.g., social networking sites), banking, and e-commerce sites.

What are PALEVO malware's payload?

PALEVO malware connect to C&C servers in order to communicate with remote users who may execute the above-mentioned malicious commands issued by botnet herders and to steal critical information from compromised systems for use in other profiteering schemes.

How do PALEVO malware affect users?

Systems that have been infected by PALEVO variants become vulnerable to more threats. These compromise systems’ security and put infected systems under the control of remote users, turning them into zombies, without their users’ permission nor knowledge. This could bring about a string of unwanted activities which could result in the increase of network traffic, among other things.

Important data like site login credentials stored on infected systems can end up in the hands of the cybercriminals behind this threat. Unless immediately changed, these may be used to initiate unauthorized bank transactions, which can lead to actual monetary losses. Cyberbcriminals may also use the stolen personal data for several other malicious activities.

Because PALEVO variants access a C&C server, attackers can push other malware to other vulnerable systems. These also access specific sites to download updated copies of themselves, apart from downloading other malware. The infected systems then exhibit all of the behaviors of the downloaded malware, making the family a persistent threat.

Some PALEVO variants are capable of initiating DDoS attacks on several entities. These attacks, including those against servers, for instance, prevent systems from properly working and renders these inaccessible to authorized users.

What makes PALEVO worms noteworthy?

PALEVO malware are considered persistent threats. Despite the Mariposa botnet takedown in the early part of 2010, it seems that some of its C&C servers are still alive and kicking. Our findings were further verified, as according to, 89 of the Mariposa botnet’s C&C servers remained active as of last count this March. This number is steadily growing, as two months later, it rose to 116.

News of a new botnet using a modified version of PALEVO malware for malicious activities. So far, this said botnet has infected systems in 172 countries, including the United States, Russia, Brazil, China, the United Kingdom, and Iran. Because PALEVO malware are still active, users must be on the lookout for related variants and should employ safe computing practices to prevent system infections and to ensure that their systems do not become parts of botnets.

Apart from the above-mentioned possible payloads, some PALEVO samples may also vary in terms of structure and compression. As such, we may see binary samples that deviate from the usual structure, which can make detection challenging for security researchers and analysts.

How can users prevent PALEVO worms from infecting their systems?

Users should remain vigilant of WORM_PALEVO variants and follow these steps for a more secured online experience:
  • Use and properly configure Windows Firewall for all incoming connections from the Internet for Windows-based systems.
  • Disable AutoPlay to prevent the automatic execution of malicious executable files in removable and network drives.
  • Always keep systems up to date by downloading and applying the latest security patches.
  • Avoid clicking dubious-looking URLs from unknown sources.
  • Immediately isolate infected systems from networks to prevent further infection.

Are Trend Micro users protected from this threat?

Powered by the Trend Micro™ Smart Protection Network™, Trend Micro products protect users from PALEVO malware. The File Reputation Technology, for instance, detects and blocks malicious files from infecting systems. Web Reputation Technology, on the other hand, effectively blocks access to malicious sites where PALEVO variants are hosted.