Malware Evolves

24 08 2006

Malware hit another milestone in evolution – or even worse, it’s only been noticed now.

Previously, malware would arrive as a whole executable, being downloaded, emailed or dropped by passing worms.  Then, the “dropper” arrived, which is small code that contains just enough evil to download other parts of itself from other systems.  The worst ones hit random websites from a long list. Mitgleider comes to mind, where it connected to one of many IPs to get a list of other IPs to connect to.  The smallest dropper I’ve seen in the wild was 4KB (FSG-packed ect.exe – detected as Downloader-NE by McAfee).   Later, instead of downloading executables, they started downloading image files that were actually executables. 

The ISC now reports that a handler found malware that downloads what looks like garbage (ASCII strings) from other websites ONLY when fed with the proper malware headers.  Seems fair enough – whack a site (or host one) that feeds normal web pages, but when called with a special header, serves other purposes. We’ve all seen that before, I’m sure.  The last one I saw was a control channel that served code 302 web pages (permanently moved) to  So, even if you hit it with text browsers, etc, you would see nothing wrong.  But when given a specific code, it would give instructions to do something else. 

The scary part with this one is that the ASCII strings downloaded is actually an encoded executable. Encoded how? However the attacker wants. In this case, it was bit shifted and XORd by 0x13. Attackers could easily create their own “encoding” scheme and the download would be, well, undetectable. This leaves the workstation AV as the last line of defense. 

This worries me, especially since there seems to be an elitist, this-is-how-AV-will-work mentality in the AV industry.  Check the Matasano blog for some AV companies and researchers crying foul about a recent Consumer Reports test of AV products here and here.  The current mentality seems to be that modifying an existing virus for testing purposes is unethical and is an “unscientific” method of testing anti-virus products.  Uh, ok.  And test driving a car on a test track at top speed is also unethical and proves nothing.

Me? I’m preparing for the day an encrypted, time-dilated, port-hopping, host-hopping, TOR-using control channel to appear via an intelligent morphing virus spread by a fully functional disappearing Trojan delivered by a short-lived, network only worm that exploits device drivers.

Or maybe that day is already here, and we just don’t know it.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: