Tranwos Backdoor Manipulates EFS, Defeats Researchers’ Investigation
Security researchers, of late, discovered Tranwos, a backdoor Trojan, which manipulated EFS, a utility function suited for Windows-PCs, so it could thwart their attempts at analyzing it.
According to Kazumasa Itabashi, Security Researcher at Symantec, it's not just easy for any software, be it malicious or otherwise, for utilizing EFS, but the utility can also quite successfully be used for stopping forensic analysts in getting hold over the software's matter. Eweek.com published this dated June 12, 2013.
The Trojan Tranwos, when infects a PC, creates one backdoor for enabling cyber-crooks in pulling down more malware, following which it opens one temporary folder and thereafter summons the EncryptFileW Application Programming Interface for encoding each-and-every file/folder it contains.
Consequently, it becomes unfeasible for regaining the malware's program files through any other OS, say Linux, running on a system that maybe accessing the infected PC, just as it makes unfeasible for forensic tools in doing their investigation.
Itabashi blogged that an end-user who inadvertently ran Tranwos could view the contents inside it as also alter its encoding condition. Since the malware thwarted forensic tool applications, it had to be run manually on some other PC for testing, and only then could its contents be known. Symantec.com published the blog-post on June 7, 2013.
The malware was capable of changing its command-and-control (C&C) systems based on the instruction the remote criminal might issue to it. Moreover, it was also configured for downloading additional malicious programs, the security expert indicated.
Intriguingly, it isn't unnatural to have malware applying measures for foiling analysts' efforts.
According to Vice-President Will Irace of Threat Research belonging to Fidelis Security Systems, a methodology, which's not essentially newer, however, is sure to make the situation truly hard is malevolent operation inside the computer's memory added with least communication between the malware and the PC. Usually, when any malware strain gets detected on a computer, the former's artifacts as well as the files it crafts easily get determined, says Irace. Eweek.com published this.
A few malware strains plant themselves masquerading like a service, of which a few acquire persistence while a few generate obfuscated logs, Irace explains.
» SPAMfighter News - 6/20/2013