Trend Micro Discovers New Malware that Uses Obfuscation Techniques

Security researchers at Trend Micro (an online security provider) have reported of recently uncovering a fresh malicious program on the Web identified as JS_VIRTOOL that employs an obfuscation technique with which a unique encryption key gets generated for each infected page, as reported by SoftPedia on June 29, 2009.

Trend Micro says that in the present time it knows of several versions of this malicious program all of which employ the same code obfuscation method but contain varied encrypted contents.

According to the security company, the variants possibly contain decrypted data that is same for all but the difference is that the URL location for decoding each version varies.

While the JS_VIRTOOL operates, it wouldn't at all be possible to decrypt without the knowledge of the URL which contains a particular extractable variant. Moreover, the malicious program recovers the URL link from its location to subsequently include it within its own operation. Following this, the malware computes this whole string's CRC with which it encrypts its operation.

Jonathan San Jose, Threat Analyst at Trend Micro, explains that in this particular instance, the malware's encrypted code would not run in case the operation is disturbed or the URL is incorrect, as reported by SOFTPEDIA on June 29, 2009.

Thus, the security researchers state that in the above circumstances, it could take time to detect the malicious scripts and release their suitable solutions for users. In other words, anti-malware solutions like AV software could take long to emerge so that people could use them to safeguard their systems. Till then, users' online security would remain at risk.

In the meantime, malware on the web has been especially prevalent during recent periods. During 2009, a number of bulk injection attacks damaged massive number of websites has been identified. These attacks successively included Gumblar, Beladen and Nine-Ball website compromises that used hijacked FTP (File Transfer Protocol) accounts in place of Web-flaws such as SQL injection or cross-site scripting.

In fact, UK-based AV vendor 'Prevx' has recently found a dump website that has stolen FTP identification details for over 68,000 websites, with some of them being extremely high-profile.

Related article: Trend Micro Detects Spam Mail Declaring World War III

» SPAMfighter News - 7/13/2009