Microsoft Malware Protection Center recently discovered a sneaky Trojan that deletes its components to stop forensic investigators and researchers from analyzing it. The downloader was the payload.
This particular malware is a trojan downloader, and is capable of deleting its downloaded component files in a way that makes them essentially unrecoverable. This prevents the files from being isolated and analyzed. Thus, during analysis of the downloader, we may not easily find any downloaded component files on the system; even when using file recovery tools, we may see somewhat suspicious deleted file names but we may be unable to recover the correct content of the file.
Although the purpose of most downloaders is to deliver the main malware, he noted that "this downloader is a bit different in the way that it is the medium and also the main component." In other words, the downloader is the payload. Despite the malware's "hidden agenda," Microsoft managed to nab some components that were being downloaded from a remote server. One piece attempts to infect executable files in removable drives. It might "arrive on your computer as the file name 'igfxext.exe' that appears as part of a display graphics driver, in an effort to look inconspicuous." The other component steals passwords for email accounts, Windows Messenger/Live Messenger, Gmail Notifier, Google Desktop and Google Talk.
San Jose advised users who have been infected to change all account passwords after cleaning their system.
CSO pointed out that this particular Trojan highlights how malware authors are continually evolving "sophisticated techniques" to protect their own kind of malicious "intellectual property." Paul Henry, a forensic analyst for Lumension, told CSO Online, "Malware that covers its tracks to prevent the security community from developing quick defensive signatures is the norm today. Your grandfather's security solutions will leave you utterly defenseless against today's evolving threats."
Henry explained, "For sometime, criminals have developed malware that can sense when it is in a virtualized workstation commonly used by researchers to isolate and study malicious code. When it is in such an environment, the malware will enter a dormant state, so it cannot be easily discovered. Other malware inserts its malicious code in system memory, never leaving a trail in the infected computer's registry or hard drive."
Jaime Blasco, labs manager at Alien Vault Labs, told Dark Reading that more and more malware has "built-in anti-forensics features as well as the ability to deter investigators."
In the case of Nemin, it is a clever idea since the analysts won't be able to determine the origin of the infection, and the infrastructure used to infect the systems will remain undiscovered for a longer period," he says. "In addition, most of the security companies rely on automatic environments that execute and emulate malicious programs. We have seen how more and more malware families are beginning to add capabilities to detect these environments and deter emulation. We have also seen some malware samples that only get activated if they detect human clicking activity on the system."
As malware writers become increasingly more anti-forensic sneaky, wouldn't it be great to be a step ahead of the bad guys? Well, Kaspersky Lab has released a new anti-malware product that is meant to beat deeply embedded rootkits and bootkits that manage to stay hidden.
World’s First Anti-Malware Product for UEFI
There's been plenty of ruckus raised since Microsoft decided to require UEFI (Unified Extensible Firmware Interface), which is like an updated BIOS that lets an OS access hardware. Kaspersky Lab has come out with the "world's first anti-malware product for UEFI." It is currently the only UEFI-compliant anti-malware product and is meant for "organizations with the most stringent IT security requirements, such as state agencies, military organizations, power plants, industrial companies, and any other entities where the malware-related data loss, data leakage or corruption poses the greatest threat."
Rootkits and bootkits can embed themselves deeply into the system and manage to hide by loading before conventional anti-virus. Kaspersky's solution "will be able to scan selected system files and memory addresses before the operating system even starts loading." Nikolay Grebennikov, CTO of Kaspersky Lab, said, "Previously, our enemies always had the advantage - they were the first to find loopholes, weaknesses, or zero-day vulnerabilities, and we had to find a cure after the fact. But now they simply won't be able to hide their malicious stuff anymore, as KUEFI will run at the lowest level possible and make sure that your system is clean and safe."
Like this? Here's more posts:
- Law professor makes a case for legally recognizing the Dangers of Surveillance
- PETA plans to spy on hunters with drones
- Hackers steal photos, turn Wi-Fi cameras into remote surveillance device
- Microsoft Phones, tablets as gaming controllers that detect gritting teeth, blinking?
- Refuse to be terrorized after Boston Marathon bombs; stay calm, stay free
- Hacks to turn your wireless IP surveillance cameras against you
- DOJ, DHS rejecting law school grads based on online comments
- Microsoft may not scan your email for keywords like Google, but your boss can
- Microsoft: Facebook Home is a copycat, Windows Phone is the 'real thing'
- AV-Test issues first Windows 8 antivirus solution ratings
Follow me on Twitter @PrivacyFanatic
Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. Smith has a diverse background in information technology, programming, web development, IT consulting, and information security. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.
Smith is an independent contractor and is not affiliated with any vendor that makes or sells information technology.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited