Virus techniques being used in Trojans

We found some unusual backdoors in the past few weeks. They seem like standard variants of Agobot, Rbot and other bots controlled via IRC. However, they contain files that work like EPO viruses.

Entry point obscuring viruses – EPOs.
There is a small group of parasitic viruses which includes both appending and inserting viruses which do not modify the entry point address in the headers of exe files. EPO viruses write the routine pointing to the virus body to the middle of the infected file. The virus code is then executed only if the routine containing the virus executable is called. If this routine is rarely used, (i.e. a rare error notification) an EPO virus can remain dormant for a long time.
Virus writers need to choose the entry point carefully: a badly chosen entry point can either corrupt the host file or cause the virus to remain dormant long enough for the infected file to be deleted.
Virus writers use different methods to find useful entry points:
-Searching for frames and overwriting them with infected starting points
-Disassembling the host file code
-Or changing the addresses of importing functions

These backdoors do not infect files, like typical viruses. Somebody makes these files by hand and appends a backdoor. For instance, winrar.exe is a real file in RAR, but in this case it contains an extra section with a backdoor.

Such Trojans are difficult to detect, since the backdoor is not accessed at the same time the file is launched. This technique is also dangerous because virus writers can recycle old Trojans, because the files will not match existing virus definitions from most antivirus vendors.

Virus techniques being used in Trojans

Your email address will not be published. Required fields are marked *



Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Operation TunnelSnake

A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The victims are located in Africa, South and South-East Asia.

Subscribe to our weekly e-mails

The hottest research right in your inbox