Untangling the multi-component threat
For the most part malware is built with a particular purpose in mind, be it harvesting passwords, acting as a backdoor, stealthing files or simply replication accross networks, but some recent samples are breaking this convention and utilizing a number of techniques and components to achieve a net goal.
Even in todays rather paranoid web-safe culture enticing an unsuspecting user to execute malware is still surprisingly easy, sometimes by a catchy filename alone (the sample used “Taiwan AADS Program 2008.exe”, most likely relating to Automated Air Defense Systems)
When executed, a dialog pops up asking for a PGP key to view the contents of some strongly encrypted archive - hrm, something one may expect when communicating about defense systems…in which case the recipient may know the passphrase.
What isn’t obvious is that the program thats now asking for input is not the same program which was launched only seconds ago - welcome to the deception. To create this illusion the malware (Troj/MDrop-BSU) has simply dropped a legitimate PGP archive and a secondary malicious component with filename pgp.exe - a filename not unexpected since the user has been predisposed by the nice PGP dialog.
Behind the scenes however the saga continues - pgp.exe (W32/Autorun-EN) is not your garden variety Autorun worm; as well as hiding a copy of itself on removable media utilizing RECYCLE bin Explorer trickery, it moves itself to the current users Startup folder and drops a 3rd component (Troj/RootKit-CQ) also into the Startup folder.
The 3rd component is actually the deployer of two more components which perform the overall desired function for this malware - to log keystrokes and provide a backdoor to the now compromised system. A kernel driver is installed to stealth selected files (aiding the keylogger to go un-noticed) while the keylogger and backdoor is installed by subverting another services registry entry.
As the complexity and depth is increased, so is the chance that a malicious component may go undetected by single-tracked security policies and the malware authors almost certainly count on this. This is an excellent example as to why a homogenous approach to security encompassing endpoint, network/firewall, device control and perimeter protection is the only sensible way of protecting your data from modern mutli-component threats.
Posted on June 1st, 2008 by Pete, SophosLabs AUFiled under: General, Malware
Windows 7 security - A great leap forward or business as usual?
