English

Discussions

Polls

RSS feeds

Subscriptions

Contacts

Log in

Internet threat level: 1

Read us on

Threats

Analysis

Blog

Descriptions

Gloss

Home Blog Research November 10 2011 Steganography or encryption in bankers?

Steganography or encryption in bankers?

Dmitry Bestuzhev Kaspersky Lab Expert Posted November 10, 10:34 GMT Tags: Obfuscation, Malware Descriptions, Malware Technologies, Malware Creators, Credit Cards

0.5
Analysis

Sh

While looking over some potentially malicious links from Brazil, I came across an interesting group of files. They were of varying sizes but had similar structures.

Cybercrime Outlook 2020 Kaspersky Lab Kaspersky Security Bullet Malware Evolution 2010 The evolution of self-defen technologies in malware Keyloggers: How they wor how to detect them (Part 1 Kaspersky Security Bullet Mobile malware

Blog Dark Market Latin American banks und from the Mexican VOlk-Bo Malware isnt only malware anymore our participatio VB2011 Kaspersky Lab... also in m DDoS attacks! [by SpyEye Lab Matters - The Evolutio Malware Protection First I thought this was some type of steganography. The files has a jpeg extension, but were in fact bmp files in structure.

It was evident that they contained encrypted malware and some additional data. After further analysis, I discovered that this was a block cipher. As far as I know, this is the first time it has been used by malware writers anywhere in Latin America. This is what the malicious program looked like after decryption:

By using this technique, the virus creators kill several birds with one stone. Firstly, it may cause automatic malware analysis systems to function incorrectly: the file would be downloaded and analyzed by the antivirus program, and given the all-clear; with time the link will be exempted from checks altogether. Secondly, the administrators of the sites where such encrypted malicious files are hosted wont be able to identify them as

malicious and will leave them as they are. Thirdly, some malware researchers may not have the time or necessary expertise to deal with them. All of this plays into the hands of the cybercriminals. We have observed that the virus writers behind this specific attack publish new mirrors with the files and new malware every 2 days or so. So far, the encryption algorithm has been the same, but Im sure it will be changed after this post is published. This is the decryption script for the current status:

8 comments
Oldest first Newest first Table view Threaded view

RootkitResearch
2011 Nov 10, 16:29

Threat details Hi Dmitry Bestuzhev, Very nice analysis. Could you please provide what is the name of this threat?
Reply

Dmitry Bestuzhev
2011 Nov 10, 17:59

Re: Threat details Hi and thanks. This particular sample is detected by us as Trojan-Banker.Win32.Delf.vh But there are 7 malicious samples in the same chain.
Reply

alecw
2011 Nov 10, 17:33

Here's an example of a binary hidden in a GIF... http://wirewatcher.wordpress.com/2010/05/04/malware-in-a-bottle/

Reply

eHackingNews
2011 Nov 10, 17:58

Interesting someone use the technique in 2010 itself?!

Reply

alecw
2011 Nov 10, 18:14

Re: Interesting

Yes, it looks like it. I've no idea what the hidden content actually was, though.
Reply

mrhoward
2011 Nov 10, 19:24

execution ? Thank you for this great post. Yet I do not understand : the file is pushed to the victim, encrypted, but how is it decrypted/executed ? I mean, if the user double-clicks on the file, it will just do nothing, or print a bogus image, right ?
Reply

Dmitry Bestuzhev
2011 Nov 10, 20:48

Re: execution ? Hi and thanks for the comment. There is another binary .exe file (the eighth) which is responsible for downloading from the Web a config file, also encrypted but differently and containing keys for decryption.
Reply

eHackingNews
2011 Nov 10, 23:25

-1

Re: Re: execution ? So the .exe file won't look suspicious but it decrypts the malware and unleash it. kaspersky updated the virus definition?
Reply

If you would like to comment on this article you must first login

securelist.com
1997-2011 Kaspersky Lab ZAO. All Rights Reserved. Industry-leading Antivirus Software. Registered trademarks and service marks are the property of their respective owners. Threats Analysis Blog Descriptions Glossary RSS feeds Contacts Search

kasp
Produ eStor Threa Down Supp Partn Abou Searc