Self cleaning malware back in vogue?

Back in the 1980s and early 1990s self-disinfection was a technique used exclusively by parasitic viruses to avoid detection, however it seems the modern malware writers have rediscovered it.

The sample arrives as a specially crafted Word document about the Chinese earthquake (spammers and malware authors love newsworthy sensational headlines to peddle their wares) which when opened undergoes somewhat of a metamorphosis.

china_rtf.PNG

As the document is opened a keen observer might notice the apparent crash-and-reload of word, and suspect something is amiss, while more often that not the slight flicker goes un-noticed. But what of it? Has the document misbehaved? Perhaps it may be time to send a sample to your AV vendor just in case…

The submitted sample is reported “Clean” yet your computer hasn’t been the same since you opened that document….what’s going on? The submitted sample is just a plain RTF document with no malicious content.

hex_rtf.PNG

Analysis of the original OLE2 document yields shellcode which overwrites the OLE2 document with an RTF containing the text that is eventually viewed – in other words self -disinfection to hide its tracks. The shellcode also drops and runs a Trojan which injects a dll into the explorer process and attempts to download and run more malware.

china_ida.PNG

Interestingly, no persistence hooks are put in place to restart the dropped malware upon reboot, which often makes the components more difficult to locate during forensics.

Opening documents from unknown or untrusted sources is always a bad idea, and sometimes discovering what has gone wrong can be much more difficult when the evidence removes itself.