Tuesday, June 12, 2007

DIY Malware Droppers in the Wild

The revenge of the script kiddies, or the master minds releasing DIY tools to let 'em generate enough noise as I've pointed out in my future trends of malware paper? Further expanding the Malicious Wild West series, here are two more recently released DIY malware droppers. The detection rate for the generated dropper of the first one is disturbing given it's not even crypted :

AVG - 06.12.2007 - Downloader.VB.KK
NOD32v2 - 06.12.2007 - probably unknown NewHeur_PE virus
Panda - 06.12.2007 - Suspicious file

No AV detects the packer itself!

File size: 311296 bytes
MD5: 1944378cba81bcd894d43d71dc5fccb5
SHA1: 920505f2124e8a477ab26a28f81a779d717882be

The second one has a much higher detection rate of both the packer and the dropper :

File size: 19001 bytes
MD5: abad61857c4b79773326496dec11929b
SHA1: 5c74c3572febf7f468b41d9bdc5cbc19eb2348b5

PandaLabs has recently conducted a study on the increasing use of packers and cryptors by malware authors worth mentioning :

"There are many different packers. According to the PandaLabs study, UPX is the most common and is used in 15 percent of the malware detected. PECompact and PE, are used in 10 percent of cases. However, according to PandaLabs, there are more than 500 types of packers that could be used by cyber-crooks. “In essence it is a stealth technique. The increasing use of these programs highlights how keen Internet criminals are for their creations to go undetected,” explains Luis Corrons, technical director of PandaLabs."

You may also be interested in finding out how popular anti virus vendors perform agains known, but crypted malware.

Related posts:
A Malware Cryptor
A Malware Cryptor 2
A Malware Loader

No comments:

Post a Comment