This month I’ve witnessed an evolution of file infectors/viruses in manipulating system infection. The diagram below shows the development from the old malware file to its new structure:
Notice that unlike the “old” malware structure where all malware routines are contained in a single complete module, the PE file is now stripped into three parts, with propagation and download routines thrown in the picture.
This new infection routine starts with the “mother” file infector, which essentially contains the infection procedure. This part searches for executable files, where it then adds its code.
The infected files, in turn, contain the malware’s download routine, as well as an encrypted text file. When decrypted, the said text file points to another URL from which it downloads the executable file (which is a split module of the mother file infector), thereby restarting the whole infection routine. Note that the use of encrypted text is done to create a static site where the malware author can modify the data and source URL, especially when the link is already detected by an Internet security or anti-malware product.
In addition, WORM_DROM.AI performs routines that can disable anti-malware products. It displays an error message upon the execution of the software, as shown below:
The LIJI-DROM tandem is yet another example of how threats are getting complex (routine-wise, to avoid immediate detection), how they are using the Web to leverage their malicious motives, and how “traditional” Internet security/Web blocking solutions is not enough.
Fortunately for customers, the security industry is evolving along with these threats — what with proactive and heuristic detection, and in the case of Trend Micro Web Reputation Services. Otherwise, the cleanup for this type of file infection will take NOT only three steps.