Brazilian Online Attackers Utilize Block Cipher for Encoding Malicious Software

According to the reports from ThreatPost published on November 10, 2011, Brazilian cyber-criminals who write banker Trojans, have started utilizing block ciphers that work in a sophisticated manner and help in encrypting malicious software so anti-virus programs can't detect them.

Notably, by block cipher the general notion is of one symmetric code cipher, which works on bits collectives of an already specified number, uninterruptedly. For un-encoding this cipher, a virus, there's requirement of a secret code/key without which the un-encoding may not be possible.

Dmitry Bestuzhev a researcher from Kaspersky Lab encountered a few malicious files that despite being Jpeg files, had form of an image file such as bmp.

Bestuzhev says there is clue about the files having malicious software that are encoded along with slightly more data. Following more analysis, it became clear that this encoded malware was one block cipher.

Cyber-criminals, utilizing these ciphers cause the working of automated malware assessment mechanisms incorrect, download and scrutinize files with security software, which, however, declare them safe and eventually put them to no more checks.

Moreover, website administrators whose sites host these block ciphers will remain unable in detecting them, leaving the files waiting to be addressed and their danger averted, Bestuzhev explains.

Bestuzhev further states that those who create banker Trojan Delf make mirror websites up-to-date with the malware's fresh editions after two days each time, changing the encryption technique and thereby making detection still harder.

Incidentally, there mayn't be the required means with the malware investigators for countering the block cipher viruses, so cyber-criminals will be quite efficient in using them. Further, it appears that when these virus creators publish fresh copies of the malware repeatedly after two days, and although the encryption technique remains like before it's likely that it'll alter at any unspecified period.

Meanwhile, when September 2011 ended, Microsoft encountered an Alureon variant that with steganography methods disguised to appear like an innocuous looking picture. The Trojan, which captured data, arrived with a coded element possibly done with the block cipher that helped exchange of messages among the contaminated PC and the central C&C server situated afar.

Related article: Brazilian President's Party Website Disrupted

» SPAMfighter News - 11/17/2011