14 DAY TRIAL // Researchers discovered that for the first time malware creators from Latin America are utilizing block cyphers to mask their malicious software.
Kaspersky experts came across a couple of files which even though they had a jpeg extension, their structures resembled the one of a bmp image file.
They quickly realized that they were dealing with a piece of malware that was encrypted. The novelty in this finding is that the cybercriminals used a block cipher algorithm to encrypt the malevolent element.
A block cipher is a symmetric key cipher that operates on fixed-length group of bits with an unvarying transformation. To decrypt such a cipher, a secret key is needed, this making the decryption process somewhat more difficult.
This encryption mechanism is highly efficient in evading security products. Since such files can be easily placed on various locations, by making them look legitimate, not only anti-virus software can be fooled but also site administrators which might look at the pieces of malware and consider them regular files.
“Firstly, it may cause automatic malware analysis systems to function incorrectly: the file would be downloaded and analyzed by the antivirus program, and given the all-clear; with time the link will be exempted from checks altogether,” the researcher said.
Unfortunately, malware researchers may not possess the necessary resources to handle such threats, making them highly efficient in the hands of cyber masterminds. Also, it seems as the creators of these virus groups are publishing new mirrors of the malicious elements every 2 days and even if the encryption algorithm is the same, it's expected it will change at any time.
At the end of September, Microsoft researchers came across a version of Alureon which utilized steganography techniques to masquerade itself as a harmless looking image. The data-stealing trojan came with an encrypted component that facilitated the communication between the command and control server and the infected machine.