Tom Olzak

Trojan Defense: Configuring Your SOHO or Personal Infrastructure

In Business Continuity, malware, Patching, Security Management on April 10, 2010 at 08:46
Trojans continue to be a serious Internet threat and arguably the most insidious. As with any malware defense, making the right choices—and teaching users to do the same—is the only effective control. Further, continuous vigilance is required to detect and react to Trojan polymorphism.

The Challenge

Typically, Trojans gain access to a computer to collect data. The data collected are used by the Trojan’s distributor, directly or indirectly, to make money or for other gainful purposes. To achieve fiscal objectives, black hats go to great lengths to surreptitiously deliver their code and keep it secret.

To prevent anti-malware (AM) software from detecting and eliminating Trojans during delivery or implementation, developers are going as far as encrypting questionable payloads. According to a recent Kaspersky Labs Threat Post:

Once the malware is on the machine, anti-malware products may detect it as a malicious file. But this process is much more difficult if the Trojan itself is encrypted. Dmitry Bestuzhev, a malware analyst for Kaspersky Lab in Latin America, has been following the evolution of Brazilian banker Trojans, and has noted a recent change in their sophistication

A new (for Brazil) concept takes place between second and third stages when the Trojan.Downloader downloads and installs the Banker. On the one hand Brazilian coders obfuscate the download links using several techniques and on the other hand now they also crypt the Banker to be downloaded to the system.

It’s a crypted (specially packed) PE file. The coders from Brazil use this technique to prevent an automated malware analysis and monitoring mode by AV companies. This sample downloaded as it is on the server won’t be functional on the user machine unless it’s decrypted. The decryption mechanism in this case is included into the initial Trojan.Downloader, which first downloads malware, and then decrypts it to be able to infect the user machine (Fisher, 2010).

Once a Trojan successfully takes up residence on a computer, it begins collecting banking and other sensitive information for later transmission to its home server. And even if it is detected, cleaning steps short of a complete wipe and replace of all content will likely fail.

.
.
.
%d bloggers like this: