Inside the "PlugX" malware with SophosLabs - a fascinating journey into a malware factory...

Filed Under: Featured, Malware

Join SophosLabs Principal Researcher Gabor Szappanos (Szappi) as he takes you on a fascinating journey into the PlugX malware factory.

This is a malware family that keeps evolving as the criminals in charge of it churn out new variants.

Just like legitimate software, malware has major version upgrades and point releases.

In this paper, Szappi looks at the recently-released Version 6.0 of the PlugX malware framework.

You'll enjoy Szappi's paper because it's not so technical as to get bogged down in researcher-only jargon, yet not so high-level as to skip over the details that help you to understand how virus writers think.

Szappi writes clearly and logically, taking apart and explaining the numerous and deliberately-distinct phases in the malware's infection mechanism.

Splitting up malware means that each step does only a small piece of the overall work, in order to avoid looking suspicious on its own.

The aim is to reduce the chance of being flagged as dangerous by heuristic defences that expect more complex behaviour.

Szappi even uses some debugging features left behind in the malware to estimate the size of the programming project behind it, using a statistical technique first used in anger during the Second World War.

The Allies used it to convert observations from the field into reliable estimates of how many tanks the Nazis had at their disposal; now it's turned against the PlugX crew.

And Szappi describes how, and why, the malware carries around with it a pirated copy of a legitimate, digitally-signed application (this one is from Chinese social media outfit Tencent) to help it do its dirty work.

A fascinating paper, well worth reading: clearly written, interesting, and informative.

Download now

, , , , ,

You might like

2 Responses to Inside the "PlugX" malware with SophosLabs - a fascinating journey into a malware factory...

  1. Nate · 490 days ago

    Download? Are you serious?

  2. sean · 490 days ago

    Outstanding paper by Szappi, really appreciated.

    Oh, and easy to read and understand while providing good detail.

    Thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog