Thursday, May 17, 2007

Yet Another Malware Cryptor In the Wild

Just stumbled upon a newly released cryptor in the wild, and as I pointed out in a previous post related to yet another cryptor, they're signature-based malware scanning's worst enemy. By the time AV vendors obtain a sample and analyze the routines they use, unless an IPS solution is in place, and end user friendly perimeter defense detecting the bot-ization of the host are in place - an infection occurs.

What's the big picture? It's launching a denial of service attack on anti virus vendors' labs in the form of distributing couple of hundred malware samples - future family members of a malware group. Polymorphism encrypting routines are nothing new, but with DIY cryptors in the wild the result can be quite successful even for copy cats:

"Another example is the Stration family of malware, responsible for worms and other forms of malware in late 2006. “Stration was changing so quickly—the encryption packaging, the compiler, everything. We saw up to 300 variants in a single day,” says Ron O’Brien, senior security analyst at anti-malware vendor Sophos."

File size: 4608 bytes
MD5: 406e3a1443ec617f2c968a957a460f10
SHA1: 187abe8cec588b53126afbe8e600379a3bac2321