Malware unit testing

Malware analysis can be quite a complex task — with all the different packing, code obfuscation, anti-emulation, anti-debugging, rootkit techniques, etc. etc. — one can assume the development of such malware is equally challenging (I’ll have to assume, not having written any malware myself of course).

One sample I came across recently, Troj/Dloadr-CLE, confirmed this for me though — particularly how the development of your basic downloader Trojan is complex enough to require proper unit testing. Upon analyzing the sample, I found it downloaded a file named “bajame.txt” from a well-known free hosting site. Outside of the AV context, you would be hard-pressed to call such a program “malware” — it just downloads a text file for heaven sake!

Ok, ok… so not every file with a “.txt” extension is actually a text file, but this one was. Here’s what it looks like:

Esto es solo un archivo de texto para probar nuestro downloader ;-]

which translates from Spanish to English as

this is a text file to test our downloader ;-]

Thanks for the tip guys – made my job a lot easier.