A malware matrioshka

22 May 2006

minute read

Authors

Costin Raiu

Out of all instant messaging clients out there, ICQ is probably the easiest to spam, because the accounts are based on relatively small integer numbers. From what we’ve seen, we suspect the bad guys have already created robots which randomly pick out ICQ numbers and send URLs to them.

That’s why we’ve started experimenting with an ICQ honeypot – a custom software which is monitoring about 10 ICQ accounts and logs all received messages into a database for later inspection. So far we’ve been receiving about 30 malware URLs per month, which most of the time point to HTML pages filled with exploits which download and install trojans.

Of these, an URL received last Friday caught my attention. When I first tried to fetch the page with WGET, it went like this:

So, why would anybody spam a page which is 0 bytes long? Loading the page on a goat machine running IE and connected to the Internet brought a slighly different result: a trojan was downloaded in the system, installed, then it went out and fetched another trojan. Could it be that the guys behind that page check for the type of agent which comes to them and only send out the exploit for the “right” browser?

I wondered what would happen if we went to that page using WGET but faking an IE 6.0 user agent header? This time it works – we get a 3043 bytes page.
But what’s inside?

As you can see, it is a script, but it’s encrypted! Actually, it’s encrypted in such a way that if you change the script in any way it will not decrypt properly, so it takes some poking to find that inside it, there’s… another encrypted Javascript.
The script inside the encrypted script which you only see when you fetch page with IE goes to another page and loads (between other things) a Java Applet.

We decompiled the Java Applet to find that inside – you guessed it – there’s another applet, which gets loaded dynamically by the first applet. Which then loads a page which runs another javascript which goes to a website and fetches a Trojan Downloader. Which then fetches yet another trojan – which is encrypted in the already popular way, with FPU instructions. Interestingly, this last trojan changes on a daily basis – last week it was a keylogger, but this morning it became a banking trojan.

Welcome to the malware matrioshka.

Authors

Costin Raiu

A malware matrioshka

Latest Posts

Latest Webinars

Reports

In this report Kaspersky researchers provide an analysis of the previously unknown HrServ web shell, which exhibits both APT and crimeware features and has likely been active since 2021.

Asian APT groups target various organizations from a multitude of regions and industries. We created this report to provide the cybersecurity community with the best-prepared intelligence data to effectively counteract Asian APT groups.

We unveil a Lazarus campaign exploiting security company products and examine its intricate connections with other campaigns

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

A malware matrioshka

GReAT Ideas. Balalaika Edition

GReAT Ideas. Green Tea Edition

GReAT Ideas. Powered by SAS: malware attribution and next-gen IoT honeypots

GReAT Ideas. Powered by SAS: threat actors advance on new fronts

GReAT Ideas. Powered by SAS: threat hunting and new techniques

TOP 10 unattributed APT mysteries

Applied YARA training Q&A

PuzzleMaker attacks with Chrome zero-day exploit chain

Looking at Big Threats Using Code Similarity. Part 1

YARA webinar follow up

Top 10 web application vulnerabilities in 2021–2023

Network tunneling with… QEMU?

An educational robot security research

A lightweight method to detect potential iOS malware

Operation Triangulation: The last (hardware) mystery

Latest Posts

Android malware, Android malware and more Android malware

Threat landscape for industrial automation systems. H2 2023

A patched Windows attack surface is still exploitable

What’s in your notepad? Infected text editors target Chinese users

Latest Webinars

The Future of AI in cybersecurity: what to expect in 2024

Responding to a data breach: a step-by-step guide

2024 Advanced persistent threat predictions

Overview of modern car compromise techniques and methods of protection

Reports

HrServ – Previously unknown web shell used in APT attack

Modern Asian APT groups’ tactics, techniques and procedures (TTPs)

A cascade of compromise: unveiling Lazarus’ new campaign

How to catch a wild triangle

Subscribe to our weekly e-mails