We found some unusual backdoors in the past few weeks. They seem like standard variants of Agobot, Rbot and other bots controlled via IRC. However, they contain files that work like EPO viruses.
Entry point obscuring viruses – EPOs.
There is a small group of parasitic viruses which includes both appending and inserting viruses which do not modify the entry point address in the headers of exe files. EPO viruses write the routine pointing to the virus body to the middle of the infected file. The virus code is then executed only if the routine containing the virus executable is called. If this routine is rarely used, (i.e. a rare error notification) an EPO virus can remain dormant for a long time.
Virus writers need to choose the entry point carefully: a badly chosen entry point can either corrupt the host file or cause the virus to remain dormant long enough for the infected file to be deleted.
Virus writers use different methods to find useful entry points:
-Searching for frames and overwriting them with infected starting points
-Disassembling the host file code
-Or changing the addresses of importing functions
These backdoors do not infect files, like typical viruses. Somebody makes these files by hand and appends a backdoor. For instance, winrar.exe is a real file in RAR, but in this case it contains an extra section with a backdoor.
Such Trojans are difficult to detect, since the backdoor is not accessed at the same time the file is launched. This technique is also dangerous because virus writers can recycle old Trojans, because the files will not match existing virus definitions from most antivirus vendors.