Sophos Cloud Optix
For the most part malware is easy to identify and categorise as it’s often either an individual malicious file or a small collection of malicious files, but the scripting capabilities of most archivers and installers is changing this. As I previously discussed here, multi-component malware can be tricky to untangle but is often easy to detect because individual components are themselves malicious, but the problem becomes more tricky…
One such example (detected as Troj/Bckdr-QOE) is a ~400k WinRar self-extracting archive (SFX) with an embedded script specifying the deployment path and sequence.
Path=%systemroot%\system32\winnt SavePath Setup=alg.exe Setup=pic.url Setup=start.exe Silent=1 Overwrite=2
The archive script will attempt to deploy the components into a sub-folder (winnt) off system32 and then launch the deployed applications, doing all this silently as you enjoy the picture referenced by pic.url 🙂
The archive contains a bunch of files which by themselves pose no serious risk yet acting together function as a backdoor to the compromised system.
Name Size Packed Ratio Date Time Attr CRC
----------------------------------------------------------------------- System.exe 413696 202292 48% 29-12-06 03:30 .....A A3BDC68E 3proxy.cfg 132 112 84% 30-05-08 20:25 .....A A7D3842D cssrs.exe 123392 51829 42% 23-10-07 12:54 .....A E05C8656 start.exe 104327 50734 48% 01-06-08 20:02 .....A 8282C22F alg.exe 37888 23969 63% 09-06-08 03:35 .....A 54BA43CD register.reg 1614 537 33% 11-06-08 00:44 .....A 1FD57B78 pic.url 133 132 99% 09-07-08 01:44 .....A ECA6B66B -----------------------------------------------------------------------
The operation is simple; launched first is the file alg.exe, an ExeScript application which runs a compiled version of a script. It is this script that is the master controller, starting the proxy and requesting that the SSH utility establish a remote tunel to an external server.
Start.exe is another WinRar SFX, which deploys a shortcut to “DiskDoctor” in the Startup folder (the shortcut points to the installed alg.exe) in an effort to maintain persistance. This completes the initial installation.
The file cssrs.exe is infact a copy of 3proxy tiny proxy server and system.exe is a copy of the popular SSH application “PuTTy”, which is configured with a host key by injecting the registry file register.reg.
So by gathering up a few legitimate tools and some configuration files, packaging them up with a legitimate archiver with scripting capability, malware may result. I’m sure this wasn’t the intention when scriptable archives were developed yet they now pose an interesting dilemma to administrators and users alike.