Explore the latest news and trends  

Keep yourself up to date with one of the following options:

  • Explore more news around Spam/Phishing, Malware/Cyber-attacks and Antivirus
  • Receive news and special offers from SPAMfighter directly in you inbox.
  • Get free tips and tricks from our blog and improve your security when surfing the net.
  • Go

Malware Authors Adopting Innovative Ways to Hide Malicious Codes

According to Mike Wood, Threat Researcher at Sophos, authors of new Trojan downloaders will have to work harder to develop new tactics for hiding their threats as security researchers are developing more sophisticated applications to identify anything that indicates to the potential attack, as reported by securitywatch.eweek on June 9, 2009.

Wood gave an example of recently found malware known as Troj/FRuWL-Gen that had tried a number of methods to remain unnoticed, as a resident of an infected machine.

Explaining the propagation method of the malware, Wood said in a blog post at Sophos.com on June 5, 2009 that Troj/FRuWL-Gen was nothing but a dropper that installed another Trojan in the infected machine before deleting itself. Although the installation pattern was typical, the modus operandi of accomplishing this installation pattern was very interesting.

To accomplish this installation pattern, the Trojan used two different exported functions. One was related to downloading of the attack, while another examined the installation process and made sure that the payload successfully passed to involved device. The separation of both the functionalities made the detection of malware more difficult and even harder to stop.

Furthermore, Trojan Troj/FRuWL-Gen attached a whole portable executable (PE) file to the infected system registry instead of creating a new file on the computer disk. The PE files was concealed under randomly created files names and tucked away as more innocuous, said Sophos, as reported by securitywatch.eweek on June 9, 2009.

In fact, the cleverness of the malware continues with the installation process to execute the malicious code waiting silently in the registry. In order to avoid creating any new file, Trojan Troj/FRuWL-Gen blocks the function of Windows System File Checker and patches Kernel32.dll to execute malicious code on load. The execution takes place when any process starts on the computer.

Wood concludes that the authors of this malicious program exhibited their skills of assembly programming. Hence, security experts didn't surprise when they found the malware packaged with other malicious and complex code such as W32/Vetor-A and W32/Scribble-B.

Related article: Malware Authors Turn More Insidious

ยป SPAMfighter News - 13-06-2009

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Exchange Anti Spam Filter
Go back to previous page
Next