Downloading shenanigans

Filed Under: Malware, SophosLabs

There are many ways of delivering malicious code to the victim. One of the most common methods used currently involves using malicious scripts hosted on web sites to trigger a browser exploit in order to download some other component. This might be the final Trojan payload, or (as is often the case) another downloading component. We end up with quite labyrinthine infection mechanisms in many cases.

One of the recent obfuscated Javascript Trojans that has come through the lab (being added as Troj/Xorm-A) typifies this type of attack. In brief:

  • Script deobfuscates to Mal/Psyme style exploit
  • Attempts to download binary from remote server
    h__p://(blocked).com/ad/pic/temp.exe
  • This is a downloader Trojan which attempts to download a text file (123.txt) from the same domain
  • The text file contains further URLs pointing to other malicious files for it to download

The downloader itself was undetected when first analysed (added detection for this as: Troj/DwnLdr-GTZ). At the time of testing, the text file it downloaded contained URLs to 4 other malicious files, all proactively detected:

'Mal/Packer' found in file ./ztt.exe.1/FILE:0000
'Troj/PSW-Gen' found in file ./mhh.exe/FILE:0000
'Mal/Behav-106' found in file ./4.exe
'Mal/Packer' found in file ./wow.exe

This type of multicomponent attack is typical of what we see each and every day. By using downloader components in an attack, the bad guys are able to continually modify/rotate the content hosted at any of the URLs, potentially changing the nature of the attack entirely. Answering typical questions such as "Do you detect this?" and "What does this do?" becomes harder. But the evidence from this attack (and many others similar) shows that good proactive detection abilities are an essential component of security products.

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.