Randomization Of Code And Binaries Used By A Fake Antivirus Website

THREATLABZ

March 23, 2011 - 2 Min de lectura

Security Insights

Contenido

Article
Más blogs

Last week, I talked about heavy obfuscation being used by attackers to hide their HTML source code from detection. This time we came across an interesting fake antivirus website, which not only continually changes the source of the webpage but also the malicious binaries being used in the attack. This occurs when you revisit that same malicious site. The malicious site also changes certain strings used inside the animation sequences. For this blog, I have visited that site a few times in span of a minute and collected the various source files and malicious binaries. Here are the screenshots of fake security warnings for different visits:

The highlighted fake security message in the above images varies each time with different trojan count. If you look at the source code of these webpages, it has been randomized for each subsequent visit. Here is a sampling of the altered source code:

The code contains different random variables and fake security warnings, which have been split into smaller variables in an effort to evade antivirus and IDS/IPS engines that may seek to match common string patterns. As with other fake AV sites, when a victim visits the page, he is social engineered into downloading fake security software which in turns out to be malicious program. Interestingly, each time you visit this website the malicious binary changes, which results in a different MD5 hash. The size of those malicious binaries remains same. Here are the MD5 hashes for different binaries downloaded from the same website:

The Virustotal AV detection results remain very poor with only 8/43 antivirus vendors detecting the files as malicious. Here are the results for above binaries:

http://www.virustotal.com/file-scan/report.html?id=524b2ae5004d1e80628c7e69363e6a0d6357e5a01340bf0f1a9c406d9f38cd77-1300754240

http://www.virustotal.com/file-scan/report.html?id=00d2f5827712547c18e294123f7984268cc47cc2b225a9214873584178cdc058-1300754363

http://www.virustotal.com/file-scan/report.html?id=ee3c2057135d084ea8fdeba2e3f4b8c4501728ef40fcc62bec84da4cddca7352-1300754286

http://www.virustotal.com/file-scan/report.html?id=8d4ac1aeb83f18c401b0df447e5fba2a6a02a744de6f7404a76939bd4278da94-1300754302

The example demonstrates that pure pattern matching engines will fail to detect the attack based on pattern matching strings in source code. Randomization of malicious binaries will also evade good antivirus engines.

Thanks

Umesh

Gracias por leer

¿Este post ha sido útil?

Sí, ¡Muy útil!

La verdad, no

Exención de responsabilidad: Este blog post ha sido creado por Zscaler con fines informativos exclusivamente y se ofrece "como es" sin ninguna garantía de precisión, integridad o fiabilidad. Zscaler no asume responsabilidad alguna por cualesquiera errores u omisiones ni por ninguna acción emprendida en base a la información suministrada. Cualesquiera sitios web de terceros o recursos vinculados a este blog se suministran exclusivamente por conveniencia y Zscaler no se hace responsable de su contenido o sus prácticas. Todo el contenido es susceptible a cambio sin previo aviso. Al acceder a este blog, usted acepta estas condiciones y reconoce su responsabilidad exclusiva de verificar y utilizar la información según sea precisa para sus necesidades.

Explorar más blogs de Zscaler

Agniane Stealer: Dark Web’s Crypto Threat

Leer el blog

The Impact of the SEC’s New Cybersecurity Policies

Leer el blog

Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)

Leer el blog

The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region

Leer el blog

01 / 02