W32/Xpaj Botnet Expanding Fast
According to security researchers, they've found a new computer worm named W32/Xpaj which is fast proliferating worldwide. It (the malware) employs popular techniques for escaping detection and elimination. Such techniques are rarely visible in live virus investigations.
Detailing the worm's working, the researchers said W32/Xpaj utilizes a random technique of code block mixing for infecting files. This worm accomplishes the task without changing the file's actual access point. Instead, it creates a number of code blocks by doing various functions and shifts them to haphazardly-selected locations across the entire section of codes pertaining to the already contaminated file. The technique represents the same one that W32/Zmist earlier applied, but W32/Xpaj employs code replacement rather than code insertion.
Moreover, the polymorphic decryptor of W32/Xpaj is reflected in the several code blocks that are inter-connected with unconditional jumps. When this decryptor is executed, it acquires control and does various acts such as changing the worm-laden memory's protection flags, un-encoding the worm's code to pounce on the un-encoded worm, etc.
According to the researchers, W32/Xpaj is developing an army of zombie computers after compromising several thousand PCs. Thus, it is contaminating PCs widely and disseminating its infection across numerous nations, with the attacks chiefly targeting organizations, but they are currently proliferating to consumer systems.
Majority of bots are linked with a central server that regulates the whole bot network. Conversely, W32/Xpaj deploys a number of control vectors for controlling and communicating with its bots. The malware applies similar techniques used by the Srizbi botnet, or those applied by Conficker i.e., it utilizes DNS names that are randomly generated for the central server. While W32/Xpaj is not aware of the central server's location, it's aware of the way to hunt it, facilitating the prediction of the host being used at a particular point of time.
To stay safe from botnet hijacking, W32/Xpaj allows merely digitally-signed commands and payloads. malware writers employ MD5 algorithm, a cryptographic type hash to authenticate the payload sent by the central server.
Related article: WoW – A Current Popular Target for Identity Thieves
» SPAMfighter News - 29-10-2009