Jump to content

Anyone else alarmed at the new wave of smart trojans?


Recommended Posts

I like to think i'm fairly computer literate. I'm an amateur coder and I like to dabble in reverse engineering. I'm one of those guys that doesn't run antivirus and instead relies on common sense + VirusTotal.

Lately I've been seeing some crazy smart trojans. I come across all my potential trojans on P2P. It used to be pretty simple to ID them. You download an app and it's by some no-name group and doesn't even function. Guaranteed trojan, right? You submit it to VirusTotal and get 10 hits.

Nowadays you download your app and do some basic recon. Your PEiD database turns up no known packer. There seems to be a semi-legit NFO file. Execute it in virtual machine and it works perfectly. Run IceSword and everything's fine. Submit it to VirusTotal and it's 100% clean. BUT within 5 minutes you're running a clandestine HTTP server that's dishing out malware.

In the past couple months I've discovered several trojans that are 100% undetectable by VirusTotal. More advanced real-time behavioral analysis might be more effective, might not. They seem to be undetectable for 2 reasons: hexing and really good packing.

Amateurs who didn't bother hexing in the past are now figuring out the AV signatures in their malware and patching them out. It used to be that only professionals did this and now kids are doing it. So even when their malware is finally unpacked (it always will be) there aren't immediate red flags from the file signature.

I've been seeing some strange custom/private editions of ancient Armadillo versions which none of the AVs seem to be able to unpack right now. Or else they're not being unpacked correctly. These EXEs are very widespread at the moment. I'm not sure if it's the first layer (Armadillo) that's making them difficult to unpack, or the combination of packers used. Most I'm seeing are PEC packed and then ARM packed. The prevalence of high quality underground packers combined with the high quality commercial ones (Themida + Armadillo) is really upping the ante for AV companies.

There are now what appears to be several organized groups releasing software with really insidious trojans in them that are, for the average person, not detectable. Some of the trojans they drop are very small, but pack a big punch.

I don't plan on doing any research on these bugs or to even investigate them any further. These are just some amateur observations.

This isn't meant to be a big alarmist "the world is going to end" thread, nor is it focused on software piracy. Just wondering if anyone else is seeing these particularly sneaky trojans.

Link to comment
Share on other sites


Of course, the big thing to remember is the professional malware folks are coming up with toolkits, so the kiddies are picking that up and making little modifications. Just the nature of the beast, especially on Windows. If you have the toolkit in your hands, it doesn't take much knowledge or effort to make use of it. That's Windows programming for you, in fact. For example, instead of learning TCP/IP and HTTP to download a file over the Internet, just get the toolkit that does that and use it. Not a surprise, really.

Link to comment
Share on other sites

I regularly use live malware to test security apps. I get about one per week in a webmail account that most of the scanners at VT will not detect. Detection based on identification is getting very unreliable, thanks to tools like MPack.

I am concerned about those who think that an AV or standard security suite is all they need. Signature based detection misses too much and can't respond as fast as botnets can spread malware. My biggest concern is the hacking of sites people trust, sites people add to their trusted zones or allow scripting/activeX to run on, and using them to deliver malware. The "common sense" advice that says don't visit these, don't open those, don't install that, etc, is no longer sufficient. With reputable sites and servers being hacked, there's no such thing as a trusted site or a downloaded file that a user can be certain is clean.

IMO, the only way to be certain that your system will remain clean is to establish a default-deny security policy and stick to it. Whitelist the executables you use, limit their activities to only what is necessary, especially parent-child dependencies, and block everything else. Do the same with internet content and traffic. Limit internet access to only the apps that need it and only allow them the specific access they need, especially system components. Filter unwanted content such as scripts, ads, etc from the allowed internet traffic. As much as possible open internet content (media files, PDFs, etc) locally instead of integrating apps into the browser. It's less convenient but neutralizes a lot of potential exploits.

I stopped using an AV a couple years ago. For the last 2 years, I've relied on Kerio 2.1.5, SSM free, and Proxomitron, all tightly configured to enforce a default-deny policy. The combination has worked very well and is much lighter than any AV.

Rick

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...