Downloading shenanigans

There are many ways of delivering malicious code to the victim. One of the most common methods used currently involves using malicious scripts hosted on web sites to trigger a browser exploit in order to download some other component. This might be the final Trojan payload, or (as is often the case) another downloading component. We end up with quite labyrinthine infection mechanisms in many cases.

One of the recent obfuscated Javascript Trojans that has come through the lab (being added as Troj/Xorm-A) typifies this type of attack. In brief:

  • Script deobfuscates to Mal/Psyme style exploit
  • Attempts to download binary from remote server
  • This is a downloader Trojan which attempts to download a text file (123.txt) from the same domain
  • The text file contains further URLs pointing to other malicious files for it to download

The downloader itself was undetected when first analysed (added detection for this as: Troj/DwnLdr-GTZ). At the time of testing, the text file it downloaded contained URLs to 4 other malicious files, all proactively detected:

'Mal/Packer' found in file ./ztt.exe.1/FILE:0000
'Troj/PSW-Gen' found in file ./mhh.exe/FILE:0000
'Mal/Behav-106' found in file ./4.exe
'Mal/Packer' found in file ./wow.exe

This type of multicomponent attack is typical of what we see each and every day. By using downloader components in an attack, the bad guys are able to continually modify/rotate the content hosted at any of the URLs, potentially changing the nature of the attack entirely. Answering typical questions such as “Do you detect this?” and “What does this do?” becomes harder. But the evidence from this attack (and many others similar) shows that good proactive detection abilities are an essential component of security products.