This article is an analysis of a Downloader first discovered ITW in 2006. It is widely detected by Anti-Virus vendors, also several reports are available:
http://www.threatexpert.com/report.aspx?md5=a595b08e16a0605e34c9bc310af89c2c
http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=285381
https://secure2.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Bckdr-QIB/detailed-analysis.aspx
It uses a couple of interesting techniques, although it later showed some were implemented in a sloppy way:
- Uses some sort of code obfuscation
- Sensitive strings are encrypted
- uses a kernelmode driver to hide its process
Virustotal statistics indicate this downloader is still in use, although the server of the sample I have analyzed isn't available anymore (more samples see Appendix).
Sample (UPX packed)
Target machine: x86
Size: 13.824 bytes
Compilation timestamp: 2006-11-25 19:29:09
SHA1: f18803def56bf6bfb067459ee6a9589d9f135c29
Virustotal: https://www.virustotal.com/de/file/2f771a5e0c9cda7bf8a6a771ba62585babb2df4eaa8be82accd9a3ca81d883a8/analysis/
Download (pw: infected): https://www.dropbox.com/s/8831saoza7nc1f7/downloader_f18803def56bf6bfb067459ee6a9589d9f135c29.zip
Appendix samples (pw: infected): https://www.dropbox.com/s/u4fei8nszhbwnn0/Appendix_samples.zip
http://www.threatexpert.com/report.aspx?md5=a595b08e16a0605e34c9bc310af89c2c
http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=285381
https://secure2.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Bckdr-QIB/detailed-analysis.aspx
It uses a couple of interesting techniques, although it later showed some were implemented in a sloppy way:
- Uses some sort of code obfuscation
- Sensitive strings are encrypted
- uses a kernelmode driver to hide its process
Virustotal statistics indicate this downloader is still in use, although the server of the sample I have analyzed isn't available anymore (more samples see Appendix).
Sample (UPX packed)
Target machine: x86
Size: 13.824 bytes
Compilation timestamp: 2006-11-25 19:29:09
SHA1: f18803def56bf6bfb067459ee6a9589d9f135c29
Virustotal: https://www.virustotal.com/de/file/2f771a5e0c9cda7bf8a6a771ba62585babb2df4eaa8be82accd9a3ca81d883a8/analysis/
Download (pw: infected): https://www.dropbox.com/s/8831saoza7nc1f7/downloader_f18803def56bf6bfb067459ee6a9589d9f135c29.zip
Appendix samples (pw: infected): https://www.dropbox.com/s/u4fei8nszhbwnn0/Appendix_samples.zip