Targeted malware attack shows how Fast Fingerprinting works

Filed Under: Malware, Vulnerability

Fingerprint binaryLast week, I was working a shift in SophosLabs triaging customer submissions, and found myself updating detection for the Troj/DocDrop-S Trojan horse.

Keen readers will remember that I have talked about the Troj/DocDrop-S malware before, in relation to the presentation that Stephen Edwards and I gave at the recent Virus Bulletin conference in Barcelona.

The interesting thing about this targeted attack was that the while the malware author had managed to prevent us from detecting the threat they had not broken any of the specification non-compliance that allowed us to cluster this malware (see the paper and slides, courtesy of Virus Bulletin).

This enabled me to quickly update the detection, and ensure that users of Sophos products were protected.

In this way, technology is helping anti-virus researchers detect malicious Microsoft Office files, by examining if they fail to confirm to the OLE2 file format specification.

Differences between malware samples

The two differences between the new malware sample and previous ones are:

  • The case of the Workbook stream had been changed to workbook. See picture above
  • Previous incarnations had contained the unicode string "HP LaserJet" at offset 0x638 and the new version has had the first four characters "HP L" overwritten with nulls

At the time of analysis, detection of this malware by other vendors wasn't very good. Now, according to VirusTotal, detection has improved.

If your computer wasn't updated with Microsoft's MS09-067 security patch, then the cybercriminal could have installed the Mal/Gyplit-A malware onto your PC.

, , ,

You might like

One Response to Targeted malware attack shows how Fast Fingerprinting works

  1. lewisje · 1448 days ago

    Where did you get that program from? A Google search for "eDoc" and similar relevant phrases reveals nothing.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul O Baccas (aka pob) joined Sophos in 1997 after studying Engineering Science at Oxford University. After nearly 16 years, he has left Sophos to pastures new and will be writing as an independent malware researcher. Paul has: published several papers, presented at several Virus Bulletins and was a technical editor for "AVIEN Malware Defense Guide". He has contributed to Virus Bulletin and is a frequent contributor to the NakedSecurity blog.