14 DAY TRIAL // Malware developers employ all sorts of techniques to make sure their creations cannot be analyzed by security researchers. One interesting way of preventing forensic analysis is by (ab)using of the Encrypting File System (EFS).
According to Symantec, the malware known as Backdoor.Tranwos uses the EFS to prevent researchers from accessing the contents of the malicious files.
Once it infects a computer, Tranwos – which opens a back door to allow cybercriminals to download more malware – creates a temporary folder, after which it calls the EncryptFileW API to encrypt all its files and folders.
This makes it impossible not only to retrieve the malicious files from another operating system (such as Linux), but also to use forensic tools to analyze it.
Symantec experts say the only way to collect the contents of the malicious files is to manually execute the threat on a test computer.