SANS: Malware with new features

...The sample is a downloader, which is typical for a vast majority of malware that is spammed today. The downloader connects to a web site and downloads the second stage payload, which is another downloader.

This second stage downloader downloads and installs a small zoo of malware. Besides the usual culprits, such as keyloggers and BHOs (Browser Helper Objects), what's interesting is that it downloads multiple versions of the same Trojan. Brief analysis of these files showed that they all behave absolutely the same, but look different and have different checksums. When we tested them against AV programs, they had different detection depending on the file scanned (although some AV programs detected all of them as being the same family, but different minor versions). Why the authors decided to do this is not clear, but I suspect that they were just trying to increase their chance of getting the malware onto a machine even if your AV program detected and blocked couple of samples, there might be one which is not detected.

After this third stage executable has been downloaded, it will turn off the host based firewall that comes with Windows XP SP2. It actually completely disables the Windows Security Center Service (wscsvc).

Malware then connects to its control and command center, which is a plain web server this time (no IRC). The web server produces a nice HTML page which has three different forms: ftpstaticdata, softstaticdata and softvardata. These will instruct malware to download additional modules. Of special interest was the ftpstaticdata section. This section contained an FTP server IP address and a username/password pair that malware used to upload keylogger logs. SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System

Linked by shanmuga Thursday, 16th November 2006 12:14AM