Trojan.Dionizos targets both Firefox and IE users

According to Mozilla they recently count over 270 Million Firefox users now. The fact that Firefox is becoming more and more popular inspires hackers to extend their territory in the hope of doubling their number of victims. Everybody has heard of Trojan.ChromeInject a Trojan that poses as a Firefox plugin in order to harvest logins from about one hundred different banks. We can expect and have to be prepared in the future for more threats and fuss around Firefox. Remember the TODO list of ZeuS? One of the lines on the list dissects interception of Firefox 3+. Statistics also confirm Firefox is at least as popular as Internet Explorer:

Browser Statistics Month by Month
2009 IE7 IE6 IE8 Firefox Chrome Safari Opera
May 21.3% 14.5% 5.2% 47.7% 5.5% 3.0% 2.2%
April 23.2% 15.4% 3.5% 47.1% 4.9% 3.0% 2.2%
March 24.9% 17.0% 1.4% 46.5% 4.2% 3.1% 2.3%
February 25.4% 17.4% 0.8% 46.4% 4.0% 3.0% 2.2%
January 25.7% 18.5% 0.6% 45.5% 3.9% 3.0% 2.3%


Trojan.Dionizos is just yet another banking Trojan that would like to benefit from Firefox users. It installs two malicious DLLs, one for Internet Explorer, and another one for Firefox if it presents on the system. We focus now on the Firefox DLL, the IE DLL is not really something new (installed in the registry as a Browser Helper Object).

If we can believe the TimeStamp, the binary was created at 14:17:21 in 02/09/2008. However its detection rate is still very low, 4 out of 40. See anti-virus scan results:

File name: nsFlash.dll
File size: 45568 bytes
MD5: 0f9c9428abda8836e2d699239640b405

a-squared Trojan-PWS.Dioniz!IK
AntiVir TR/PSW.Dioniz.45568
McAfee-GW-Edition Trojan.PSW.Dioniz.45568
Prevx High Risk Worm

Full scan result here

The Trojan was written in full C++, using the Gecko/XPCOM interface, which concept is very similar to Microsoft’s COM/OLE model also favourited by malware authors to create malicious plugins and BHOs for Internet Explorer (Browser Helper Objects). Talking about Firefox, the Trojan attaches itself to the following provided interfaces:;1;1;1;1;1;1;1

The most important one is the observer-service interface. It notifies the Trojan about various events happening in the browser such like a form submission occurred, an URL just has been opened, etc.

To ensure its survivalence and be able to loaded each time the browser is started, it does the following trick (which seems to be a legit way to register a component indeed). First, the malicious DLL is placed into the directory:

C:Program FilesMozilla FirefoxcomponentsnsFlash.dll

After that, the files xpti.dat and compreg.dat are going to be deleted in these two subfolders:

C:Program FilesMozilla Firefoxcomponents
C:Documents and Settings[user name]Datos de programaMozillaFirefox
Profiles[random chars].default

In the last path of the above two, the random characters within the Profiles folder cannot be guessed by the Trojan, so it attempts to do a recursive search.

Deleting these .dat files is harmless, Firefox upon start, regenerates them automatically. And that’s the point how the Trojan achieves to get registered into Firefox. When the browser is launched it does a search for available components and it will recreate the database files (xpti and compreg.dat). The newly generated .dat files will include nsFlash.dll as a registered component. See a snippet from compreg.dat:

File: compreg.dat

Generated File. Do not edit.





An interesting fact is that the author made a check for previous infections by a simple evaluation if a given filename already exists. This lets us know what other filenames already are being in use, here is the list:


The Trojan’s workdirectory is System32spool, Dionizos stores here its data and configuration files among some printing related legit files which are also stored there by the Operating System. The abused filenames are:


There are four domain names related to this binary, each of them are base64 encoded in the binary:

C&C Servers of Dionizos

During the communication with the C&C server, Dionizos sends a version parameter in the GET/POST messages like &ver=Dionizos_xml. Although we have observed a few more differing versions, but very likely this string was the hint in choosing the Trojan’s name Dionizos:

Dionizos versions

Dionizos functionalities are:

  • Deactivate Kaspersky anti-virus and Comodo Firewall
  • Alter and grab HTTP/HTTPS traffic
  • Steal certificates, saved passwords, cookies
  • Steal POP3 and Webmail passwords
  • Screen capture facility
  • Download and execute file
  • Kill the OS
  • List of processes
  • List of services
  • List of auto-run applications

Dionizos we are keeping our eyes on you!

Jozsef Gegeny
S21sec e-crime

Deja un comentario