Watching Malware Evolve
Didier Stevens has posted an interesting insight into the evolution of a single piece of PDF malware. In the sample files that he analysed, Didier was able to identify that the author had passed through five incremental updates before reaching the point where the payload executed reliably and was ready for distribution.
From the analysis provided, it appears that the author used the final file as a test bed as he added and modified the different segments of the JavaScript payload, saving the file after key features were added and changed. This process included testing and modifying a specific feature that was not performing as the attacker expected, ultimately removing it from the final distributed package.
The final step was an attempt to obfuscate the payload somewhat in an effort to reduce the opportunity for detection by antivirus and other antimalware applications. The ISC handler who passed the files to Didier discovered that he was the first to have actually submitted the files to VirusTotal for analysis, and Didier found that each increment of the malicious PDF files had not been submitted, either.
While the first file analysed showed a progression towards the final malicious payload (heap sprayed shellcode targeting the util.printf format string vulnerability), the second malicious file merely represented a copy of the original file's payload with an extra attempt at obfuscation. This action may represent a conscious attempt to prevent the reverse engineering of the payload creation process, or it could just represent the creation of a file with the same payload in a process that is as simple as cut-and-paste - which means that relying upon filenames as a means to classify and separate malware isn't a viable option with this particular example.
It isn't very often that researchers get the chance to peer inside the malware creation process, but when it happens it provides an interesting point of view and level of insight into how malware developers operate and develop their code.
18 November 2008
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.