Just the other day, I noticed a sample that may be one of the early attempts to thwart in-network malware protection — a downloader that fetches an encrypted malicious payload and performs the custom decryption on the infected target machine.
Encrypted malware is certainly nothing new, but most malware uses self-encryption such that the malicious file remains a proper Win32 executable, and on program startup it will decrypt the main body of its malicious logic. In this case, however, Troj/Dloadr-CEX attempted to download a file from a malicious URI, but when I fetched this file manually it looked like junk — the downloaded file is not in any recognizable file format, and certainly would not run as an executable. However, when I let the Trojan have its way with the downloaded data, it magically transformed what originally looked like arbitrary junk into a well-structured Windows PE file – ready to pour on some more badness on your machine.
The transportation of malware in an obfuscated non-recognizable file format may be a response by the malware community to the concept of “in-the-cloud” malware protection services (sparked back in 2007 with this interesting paper). While this may be an early attempt to thwart such in-the-cloud schemes, most do not simply rely on naively scanning all network traffic for malicious EXEs – that would be quite silly. Most are triggered by some event, say a call to CreateProcess, that will cause the file (or a checksum of the file) to be sent to the in-network scanning service for analysis before it is allowed to run. So, in this case, such services would still provide protection from the obfuscated EXE because the malicious downloader must still reveal the unobfuscated payload in its proper PE file form before starting it up.
Overall, an interesting obfuscation technique — one that may slip by your basic gateway scanner, but one that is unlikely to thwart a reasonably designed network-based protection system. Sophos customers will also remain protected from the decrypted malware with on-access scanning right on the endpoint, which will prevent the malware from running once decrypted.