Malware unit testing
Malware analysis can be quite a complex task — with all the different packing, code obfuscation, anti-emulation, anti-debugging, rootkit techniques, etc. etc. — one can assume the development of such malware is equally challenging (I’ll have to assume, not having written any malware myself of course).
One sample I came across recently, Troj/Dloadr-CLE, confirmed this for me though — particularly how the development of your basic downloader Trojan is complex enough to require proper unit testing. Upon analyzing the sample, I found it downloaded a file named “bajame.txt” from a well-known free hosting site. Outside of the AV context, you would be hard-pressed to call such a program “malware” — it just downloads a text file for heaven sake!
Ok, ok… so not every file with a “.txt” extension is actually a text file, but this one was. Here’s what it looks like:
Esto es solo un archivo de texto para probar nuestro downloader ;-]
which translates from Spanish to English as
this is a text file to test our downloader ;-]
Thanks for the tip guys - made my job a lot easier.
Posted on April 18th, 2009 by Mike Wood, Threat Researcher, SophosLabs, CanadaFiled under: General
Windows 7 security - A great leap forward or business as usual?
