Malware Authors Adopting Innovative Ways to Hide Malicious Codes

According to Mike Wood, Threat Researcher at Sophos, authors of new Trojan downloaders will have to work harder to develop new tactics for hiding their threats as security researchers are developing more sophisticated applications to identify anything that indicates to the potential attack, as reported by securitywatch.eweek on June 9, 2009.

Wood gave an example of recently found malware known as Troj/FRuWL-Gen that had tried a number of methods to remain unnoticed, as a resident of an infected machine.

Explaining the propagation method of the malware, Wood said in a blog post at Sophos.com on June 5, 2009 that Troj/FRuWL-Gen was nothing but a dropper that installed another Trojan in the infected machine before deleting itself. Although the installation pattern was typical, the modus operandi of accomplishing this installation pattern was very interesting.

To accomplish this installation pattern, the Trojan used two different exported functions. One was related to downloading of the attack, while another examined the installation process and made sure that the payload successfully passed to involved device. The separation of both the functionalities made the detection of malware more difficult and even harder to stop.

Furthermore, Trojan Troj/FRuWL-Gen attached a whole portable executable (PE) file to the infected system registry instead of creating a new file on the computer disk. The PE files was concealed under randomly created files names and tucked away as more innocuous, said Sophos, as reported by securitywatch.eweek on June 9, 2009.

In fact, the cleverness of the malware continues with the installation process to execute the malicious code waiting silently in the registry. In order to avoid creating any new file, Trojan Troj/FRuWL-Gen blocks the function of Windows System File Checker and patches Kernel32.dll to execute malicious code on load. The execution takes place when any process starts on the computer.

Wood concludes that the authors of this malicious program exhibited their skills of assembly programming. Hence, security experts didn't surprise when they found the malware packaged with other malicious and complex code such as W32/Vetor-A and W32/Scribble-B.

Related article: Malware Authors Turn More Insidious

» SPAMfighter News - 6/13/2009