Relies on fake traffic to command and control server to send network-sniffing tools on the wrong track

Nov 16, 2014 00:51 GMT  ·  By
Time and datestamp of the file dropped by the threat have been changed
5 photos
   Time and datestamp of the file dropped by the threat have been changed

Botnet creator Dofoil has been silent for the past year, but this year in September a new version was encountered, featuring significant improvements as far as detection and analysis are concerned.

The malware is designed to create a network of infected computers the attackers can then use for malicious activity ranging from infecting the systems with other threats to stealing information.

Dofoil detects virtual environments and debuggers

Malware researchers at Fortinet caught the new sample of the Trojan and analyzed its new capabilities. One of the first things noticed was that the command for retrieving the list of modules from the C&C server was now encrypted.

The set of modifications in this variant of Dofoil cover anti-analysis measures consisting of detection of a virtual environment and taking action to foil its studying.

“The bot contains several checks to detect if it is currently running in a debugger or a virtual machine. If any of the following conditions are triggered, the bot enters into an infinite loop,” said He Xu from Fortinet in a blog post.

Fake traffic is generated to trick security solutions

Moreover, to fool detection mechanisms that may be available on the system of the victim, the researcher discovered that Dofoil collects a set of legitimate URL addresses from a registry key and sends encrypted packages to them.

This sort of behavior basically masks the malicious traffic exchanged between the threat and its command and control server. Detection of the malware is also impaired, because not all the legitimate servers receiving the fake data respond in the same way (sending an error feedback) and some of them return a normal web page.

Other ways to identify the malware on a computer have to be found, since filtering the traffic based on server response is not a reliable method.

According to the researcher, Dofoil uses the same encryption for all the data sent to a server, meaning that picking clues on which stream is fake and which represents the real communication with the C&C is not possible.

However, once the packages are decrypted, their destination and purpose becomes obvious, allowing identification of the command and control server.

Malware changes attributes to make file appear older

Additional evasion techniques observed in the new Dofoil include a random name for the payload and the modification of the attributes of the malicious file. As such, the fresh items are made to appear as if they are old, in an attempt to keep the new variants under the radar.

Furthermore, the threat relies on the double map code injection, a technique designed for escaping the detection of different security tools.

After taking a short look at the new Dofoil variant, the conclusion of the security researcher is that the threat has become “much more dangerous and aggressive than before.”

Dofoil Trojan (5 Images)

Time and datestamp of the file dropped by the threat have been changed
Command for getting the module list is encryptedThe command that downloads the module list can be decrypted
+2more