Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    This month I’ve witnessed an evolution of file infectors/viruses in manipulating system infection. The diagram below shows the development from the old malware file to its new structure:

    Old Infector Structure

    New Infector Structure

    Notice that unlike the “old” malware structure where all malware routines are contained in a single complete module, the PE file is now stripped into three parts, with propagation and download routines thrown in the picture.

    This new infection routine starts with the “mother” file infector, which essentially contains the infection procedure. This part searches for executable files, where it then adds its code.

    The infected files, in turn, contain the malware’s download routine, as well as an encrypted text file. When decrypted, the said text file points to another URL from which it downloads the executable file (which is a split module of the mother file infector), thereby restarting the whole infection routine. Note that the use of encrypted text is done to create a static site where the malware author can modify the data and source URL, especially when the link is already detected by an Internet security or anti-malware product.

    An example of malware using such a method is PE_LIJI.A-O (the mother file infector). Its infected files are detected as PE_LIJI.A, which, in turn, downloads malicious files detected as WORM_DROM.AI.

    In addition, WORM_DROM.AI performs routines that can disable anti-malware products. It displays an error message upon the execution of the software, as shown below:


    The LIJI-DROM tandem is yet another example of how threats are getting complex (routine-wise, to avoid immediate detection), how they are using the Web to leverage their malicious motives, and how “traditional” Internet security/Web blocking solutions is not enough.

    Fortunately for customers, the security industry is evolving along with these threats — what with proactive and heuristic detection, and in the case of Trend Micro Web Reputation Services. Otherwise, the cleanup for this type of file infection will take NOT only three steps.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    Comments are closed.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice