Targeted malware attack shows how Fast Fingerprinting works

Fingerprint binaryLast week, I was working a shift in SophosLabs triaging customer submissions, and found myself updating detection for the Troj/DocDrop-S Trojan horse.

Keen readers will remember that I have talked about the Troj/DocDrop-S malware before, in relation to the presentation that Stephen Edwards and I gave at the recent Virus Bulletin conference in Barcelona.

The interesting thing about this targeted attack was that the while the malware author had managed to prevent us from detecting the threat they had not broken any of the specification non-compliance that allowed us to cluster this malware (see the paper and slides, courtesy of Virus Bulletin).

This enabled me to quickly update the detection, and ensure that users of Sophos products were protected.

In this way, technology is helping anti-virus researchers detect malicious Microsoft Office files, by examining if they fail to confirm to the OLE2 file format specification.

Differences between malware samples

The two differences between the new malware sample and previous ones are:

  • The case of the Workbook stream had been changed to workbook. See picture above
  • Previous incarnations had contained the unicode string “HP LaserJet” at offset 0x638 and the new version has had the first four characters “HP L” overwritten with nulls

At the time of analysis, detection of this malware by other vendors wasn’t very good. Now, according to VirusTotal, detection has improved.

If your computer wasn’t updated with Microsoft’s MS09-067 security patch, then the cybercriminal could have installed the Mal/Gyplit-A malware onto your PC.