Spam Bot Mimics Password-Protected RAR Archives

Microsoft has added detection for a trojan family called Bubnix to the latest version of its Malicious Software Removal Tool. The malware is particularly interesting because it mimics the file header of password-protected RAR archives in order to avoid detection.

Most antivirus products offer “smart scan” or “quick scan” options, which are designed to allow the quick inspection the critical areas of a system for signs of infections. In order to decrease the time required for such operations, many products only scan running processes and the files can pose an immediate threat, such as executable ones.

Therefore it wouldn't be out of the ordinary for an antivirus to skip checking some archive files, especially the ones that seem to be protected with a password. Unfortunately, this kind of behavior is exactly what the creators of the Bubnix malware hope to exploit.

“Generally speaking, it is common for a malicious executable to be transferred in encrypted form by a downloader. In order to increase the apparent legitimacy of the content, TrojanDownloader:Win32/Bubnix.A takes this a simple step further. Upon cursory inspection, this appears to be a 'Rar' archive. In fact, the header is a valid one for a password protected archive. Any attempt to 'decompress' the archive will yield a request for the password,” researchers from Microsoft's Malware Protection Center (MMPC) explain.

In fact the 'Rar!' string in the header serves as a marker for a key, which is passed to a decryption function in order to reveal the actual payload. Once it has infected a computer, the trojan downloads and installs a rootkit component, which registers itself as a kernel driver service called "Boot Bus Extender."

Trojans in the Bubnix family act as a botnet clients and are primarily used for spam. According to Microsoft, they are often dropped onto already compromised systems by other threats like Bredolab or Hanig.

You can follow the editor on Twitter @lconstantin