Published: October 24 2008, 12:39 AM
by Zarestel Ferrer

Malware authors are maximizing infection on compromised systems by improving ways in which trojan downloaders can pull additional malware onto systems. One common technique is to hide URLs inside trojan downloaders using encryption (among other smart techniques) for obfuscation.

Another behavioral evolution, the addition of a web server, has allowed trojan downloaders to attack systems more effectively. A couple of years ago the trojan downloader equation was plain and simple:

Malware + Internet connection + URL of malware = Another malware file

The current trend looks more like this:

Step 1
Malware + Internet connection + URL of web server = URL of Malware

Step 2
Malware + Internet connection + URL of malware = Another malware file

The web server now relays instructions to the trojan downloaders regarding where the latest malware version or other malware can be downloaded. This strategy has been effective for trojan downloaders because the URLs and files can change at any time.

The addition of a web server also makes it harder for researchers to keep track of the next malware. The web server is capable of monitoring all client requests; it notes multiple accesses from the same IP address, or multiple uses of a particular unique ID generated by the malware, and can block a client request or otherwise retaliate if it deduces that it is being analyzed.

Here is a current example of a trojan downloader accessing an online web server; this one is Win32/Hopee.W. In this case the trojan downloader communicates to the web server while also sending back information about the infected system, such as its operating system, IP address, port and trojan downloader version.

Generally web servers relay information in a specific format readable by the trojan downloader. This is often encrypted, making it difficult to analyze.

Below is the information received from the web server zs0.info, intercepted in OllyDbg and simulated in Malzilla:

This simple method of communication can further expose a system to attacks. The screenshot above shows that the web server was able to include references to two malware files in its reply to the trojan. It can certainly send more than two malware file references any time, which the trojan can then download and install. Currently CA detects the file "robo1.exe" as Win32/Sipay.M, and "scan.exe" as Win32/FakeAlert.GY.

To be safe, make sure your security scanner has an updated signature database and your firewall is always turned on.