New Alureon Version Employs Sophisticated Encryption

Security researchers from Microsoft have come across a new version of the Alureon malware which uses sophisticated obfuscation techniques in order to evade antivirus detection and analysis.

Alureon is a family of trojans that intercept Internet traffic with the purpose of stealing login credentials, credit card data and other sensitive information.

Malicious programs from this family commonly use DNS hijacking techniques to achieve their goals, reason for which infected computers might exhibit rogue DNS entries.

The new Alureon version found by Microsoft researchers is special because it borrows encryption techniques from Win32/Crypto, a virus that dates back to 1999.

Win32/Crypto encrypted its payload with a key whose recovery from the PE header required brute-forcing attacks executed by the malware itself.

"While working recently on different Win32/Alureon samples, we noticed some behaviour that deviated from what we’ve seen before. A particular set of files was taking longer to exhibit malicious behaviour than others.

"We started looking for why this was so, and ended up with a blast from the past. This time the malware was using Win32/Crypto-style decryption to elude anti-virus scanners," Microsoft's malware researchers explain.

However, the new Alureon uses an even more sophisticated method. It can take up to 255 retries to recover the decryption key, which, unlike Win32/Crypto, is spread across the entire PE image, between other code and resources.

This makes recovering the encrypted file manually much more complicated for malware analysts and detection harder for antivirus programs.

The Microsoft researchers also note that the first variant of this obfuscation layer was first seen in 2009, however, it used only one XOR encryption pass, unlike this one which uses multiple ones.

There are concerns that the technique might be adopted by other malware families in the future. "A decade ago, the Win32/Crypto file infector was using a similar, though much simpler, technique. These days, malware authors go a long way in their attempts to evade detection," the Microsoft experts conclude.