Dropper downloads trojan in completely encrypted form

Feb 17, 2009 11:51 GMT  ·  By

Malware researchers from Sophos antivirus warn about a new technique employed by trojan downloaders in the form of fully-encrypted executables. Previous encrypted malware was keeping the PE header intact and only scrambling its body.

Malware writers have historically proven innovative. In fact, the whole IT security arena is characterized as a constant game of cat and mouse between the security vendors and VXers (malware creators). Considering all this, it should come as no surprise that the cyber criminal programmers should attempt to find ways around the new concepts in security technology, such as the network-level protection.

Such is the case with a trojan downloader identified by Sophos as Troj/Dloadr-CEX, which seeks to drop a malicious payload from the Internet without being blocked by network-level scanners. It achieves this by getting the trojan file in a completely encrypted form and decrypting it on the target machine.

"When I fetched this file manually it looked like junk – the downloaded file is not in any recognizable file format, and certainly would not run as an executable," Mike W., malware researcher at SophosLabs Canada, notes. "However, when I let the Trojan have its way with the downloaded data, it magically transformed what originally looked like arbitrary junk into a well-structured Windows PE file – ready to pour on some more badness on your machine," the analyst explains.

This is a new technique, even for encryption-capable malware, because up to this point, such malicious files have still been arriving on the system as executables, with their PE headers intact and only the body encrypted. "The transportation of malware in an obfuscated non-recognizable file format may be a response by the malware community to the concept of 'in-the-cloud' malware protection services," Mike W concludes.

However, if that's indeed the case, this technique falls short of its intended purpose when it comes to well-designed network-level security applications. While possibly being able to trick average gateway scanners, it won't stand much chance against "in-the-cloud" antivirus solutions, because such programs watch for events on local computers, rather than file types.

"Most are triggered by some event, say a call to CreateProcess, that will cause the file (or a checksum of the file) to be sent to the in-network scanning service for analysis before it is allowed to run. So, in this case, such services would still provide protection from the obfuscated EXE, because the malicious downloader must still reveal the unobfuscated payload in its proper PE file form before starting it up," the Sophos researcher explains.