Explore the latest news and trends  

Sign up for our weekly security newsletter

Be the first to receive important updates on security


Malware Authors Adopting Innovative Ways to Hide Malicious Codes

According to Mike Wood, Threat Researcher at Sophos, authors of new Trojan downloaders will have to work harder to develop new tactics for hiding their threats as security researchers are developing more sophisticated applications to identify anything that indicates to the potential attack, as reported by securitywatch.eweek on June 9, 2009.

Wood gave an example of recently found malware known as Troj/FRuWL-Gen that had tried a number of methods to remain unnoticed, as a resident of an infected machine.

Explaining the propagation method of the malware, Wood said in a blog post at Sophos.com on June 5, 2009 that Troj/FRuWL-Gen was nothing but a dropper that installed another Trojan in the infected machine before deleting itself. Although the installation pattern was typical, the modus operandi of accomplishing this installation pattern was very interesting.

To accomplish this installation pattern, the Trojan used two different exported functions. One was related to downloading of the attack, while another examined the installation process and made sure that the payload successfully passed to involved device. The separation of both the functionalities made the detection of malware more difficult and even harder to stop.

Furthermore, Trojan Troj/FRuWL-Gen attached a whole portable executable (PE) file to the infected system registry instead of creating a new file on the computer disk. The PE files was concealed under randomly created files names and tucked away as more innocuous, said Sophos, as reported by securitywatch.eweek on June 9, 2009.

In fact, the cleverness of the malware continues with the installation process to execute the malicious code waiting silently in the registry. In order to avoid creating any new file, Trojan Troj/FRuWL-Gen blocks the function of Windows System File Checker and patches Kernel32.dll to execute malicious code on load. The execution takes place when any process starts on the computer.

Wood concludes that the authors of this malicious program exhibited their skills of assembly programming. Hence, security experts didn't surprise when they found the malware packaged with other malicious and complex code such as W32/Vetor-A and W32/Scribble-B.

Related article: Malware Authors Turn More Insidious

ยป SPAMfighter News - 6/13/2009

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!

Go back to previous page