Win32:Abigor is a complex file infector consisting of the replicating part, a backdoor and a keylogger. Its source is known, but it is interesting to look at the file also from the other side.
Infections inserted into valid websites are often an iframe/script tag itself, sometimes the simple encryption functions are used and sometimes very complex algorithms are used to hide the redirection process. But all these methods have the same objective – to redirect users to malware distribution websites hosting various exploit packs. There are also infections that are trying to imitate well-known and often used services – mostly Google related services – with Google Analytics being number one. It started with small changes in the urls used by these services, for example “analytics” -> “analitics” and so on. In this article I will describe two new infections that imitate well-known Google service in more complex manner, which at first look seem to be legitimate.
A new type of malware has been found today which uses the Google search engine database for hosting. Werner Klier (virus researcher from GData) pointed us to one very puzzling result of Google search. This result was detected as malware with avast! from the beginning. It is however a very interesting approach from malware creators – using Google to host their malware. Here I’ll describe how this infection works (virus researchers from GData, Ralf Benzmüller and Armin Büscher, reached the same conclusion).
A patch is a utility that can be used to change a few bytes in the original file. It’s usually used to bypass license validation or to enable a hidden function. These patches are normally used with the knowledge and agreement of the user. However, another group of patches is actually malware which is used to perform the same functions without the user’s knowledge or agreement. In this case, system files are patched to gain backdoor access to a system (i.e. by changing the startup key to run the malware after booting). These files are detected by avast! as Win32:Patched.
The difference between file infectors (viruses) and patches is shown in the picture below. Patches just change a few bytes and can’t spread themselves. File infectors infect (patch) the victim file and add a virus body to perform a malicious action and can infect other files.
Sometimes I really wonder, how complex the mythology about viruses and antiviruses is. Five minutes spent on a random community server, where people are talking about malware (except few special forums), can give you a hint what I mean. It is not a purpose of this post to refutate the widespread gossip, that AV vendors are writing malware just to be the first to detect it etc. What I want to show you is the relation between a formal description of a virus and its raw characteristics. I’m trying to choose the right samples for you (actually the samples, which are used to test an internal emulator), which contain a lot of nicely visible ASCII strings. Hopefully, you’ll catch the point of the “Inside” series – malware analysis is not a sci-fi :-). Let’s look at Alma.
In the previous month the World Wide Web was subject to one of the heaviest attacks since it first came into existence. Thousands of legitimate websites were attacked by the Trojan horses JS:Redirector-H and JS:Redirector-J, the aim of which was to infect millions of unsuspecting users. avast! was the first antivirus program to detect the infection right at the start and all users of avast! were protected throughout the duration of the attack. Now, more than a month after the attack was first detected, it is possible to assess the attack.