Incidents

Virus techniques being used in Trojans

We found some unusual backdoors in the past few weeks. They seem like standard variants of Agobot, Rbot and other bots controlled via IRC. However, they contain files that work like EPO viruses.

Entry point obscuring viruses – EPOs.
There is a small group of parasitic viruses which includes both appending and inserting viruses which do not modify the entry point address in the headers of exe files. EPO viruses write the routine pointing to the virus body to the middle of the infected file. The virus code is then executed only if the routine containing the virus executable is called. If this routine is rarely used, (i.e. a rare error notification) an EPO virus can remain dormant for a long time.
Virus writers need to choose the entry point carefully: a badly chosen entry point can either corrupt the host file or cause the virus to remain dormant long enough for the infected file to be deleted.
Virus writers use different methods to find useful entry points:
-Searching for frames and overwriting them with infected starting points
-Disassembling the host file code
-Or changing the addresses of importing functions

These backdoors do not infect files, like typical viruses. Somebody makes these files by hand and appends a backdoor. For instance, winrar.exe is a real file in RAR, but in this case it contains an extra section with a backdoor.

Such Trojans are difficult to detect, since the backdoor is not accessed at the same time the file is launched. This technique is also dangerous because virus writers can recycle old Trojans, because the files will not match existing virus definitions from most antivirus vendors.

Virus techniques being used in Trojans

Your email address will not be published.

 

Reports

Andariel deploys DTrack and Maui ransomware

Earlier, the CISA published an alert related to a Stairwell report, “Maui Ransomware.” Our data should openly help solidify the attribution of the Maui ransomware incident to the Korean-speaking APT Andariel, also known as Silent Chollima and Stonefly.

APT trends report Q2 2022

This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q2 2022.

Subscribe to our weekly e-mails

The hottest research right in your inbox