Trojan downloaders are the cannon fodder of the malware world: expendable, commoditized foot soldiers with a single function. Once their job is complete–downloading the executable or other malicious component–the downloaders are no longer useful. However, researchers have found that there are now some pieces of malware that are downloading not explicitly malicious pieces of code, but small bits of code that are benign on their face, but are then transformed into malicious instructions once they’re on the target machine.
The malicious code was found by researchers at Microsoft when investigating a file that was calling out to the site of a restaurant. The researchers expected the file to be a run-of-the-mill downloader that would pull down a malicious executable hosted on the compromised server and then run that locally. But that wasn’t the case. Instead, the file was downloading a piece of code that didn’t seem to do much at all at first blush. Further analysis, however, showed that the code was rather interesting.
The initial VisualBasic application that was being analyzed turned out to be doing quite a lot of different things.
“Once the application was run on a machine with a simulated Internet connection, it got the contents of the HTML page of the restaurant website mentioned previously. The application copied itself to the Windows system folder as ‘misys.exe’, and started keylogging, although the static analysis did not indicate this kind of functionality,” Microsoft researchers wrote in an analysis of the malware.
“So the VB Application is extending its functionality dynamically by downloading and executing x86 instructions in the context of its own process. The “downloader” becomes malware by executing this downloaded blob of x86 instructions. And the downloaded instructions will be not injected to a different process and not dropped to disc, they will be executed in the process context of the “downloader”, thus the “downloader” inherits the malware functionality.”
What the victim ends up with at the finish of all of these machinations is a version of the notorious Poison Ivy backdoor, which has been around for several years and has been used in some well-known attacks. Most recently, Poison Ivy was the malware used in the attack on RSA early last year.
Poison Ivy is one of the malware tools that enables attackers to create their own version through the use of a builder kit with various options. A report on Poison Ivy by Microsoft late last year found that, although the tool itself is now about seven years old, it’s still being used quite widely. The company said that in October it removed Poison Ivy from more than 16,000 machines.