Web Based Malware Gets Smart(er) and Nasty

The ongoing development of web based malware, we see the escalation of features along with the commoditization of anti-debugging features within modern malware. “Plain” simple feature sets started off to include what these malware creators are describing as managed binary crypting and firewall bypassing verification on demand in February of this year, to has matured to August’s overall anti antivirus software mentality as a key differentiation factor of malware.

So what new features are they working on? Anti tracing and emulation protection, PeID and PESniffer protection, as well as anti heuristic scanning .

200810070922-1

Here’s a translated description (courtesy of the fine minds at Kasperksy) :

“- The binary works under admin and under normal user
– The binary is always run as the “current user”
– An unlimited number of bots can be loaded and integrated within the command and control, and with the geolocation feature, filters can be applied for a particular country
-After successful infection, the binary which is tested against popular firewall and proactive protection security ensures that the actions it takes and their order do not trigger protactive protection mechanisms in place
– binary file size is 25k, the size can be reduced once it’s crypted

200810070922

– Doesn’t take advantage of BITS protocol
– Doesn’t allow an infected host to be infected twice
– Bypassing NAT and supporting “always-on” connections
– A simple, easy to configure web based admin panel”

Advertisements

~ by David Barnett on October 7, 2008.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: