In the quest to compromise users' systems, malware has always employed different and resourceful techniques to achieve its goals. From using social engineering methods, to abusing legitimate software and its features, to using a design familiar to the user, malware has used every dirty trick in the book to achieve its malicious purpose. As a case study for such behavior we'll take a look at Backdoor:Win32/Fynloski.A and how this malware uses any means necessary to gain access to the compromised system and hide its presence from a security solution.

Taxonomy of Backdoor:Win32/Fynloski.A

We have received more than 35,000 samples of Fynloski.A with varying disguises, which we discuss in the following classification. We'll glance over the different methods and disguises that this threat adopts from the whole malware ecosystem.

The following classification lays out the different types of tools and techniques used by the malware to hide and protect itself. The classification goes from the most simple to the most complex (all the samples discussed below are detected as Backdoor:Win32/Fynloski.A):

  1. Legitimate installers used with malicious purpose:
    1. One of the samples (SHA1: 7be3c1dd9e1d054b725ea3143ee10f3c4cb3d65c) uses the open-source Nullsoft installer with a JPEG icon, which drops a particular JPEG file containing adult content. It stealthily installs the backdoor encased in a Cabinet self-extractor. On the affected system, the files look like:

      JPEG and Cabinet self-extractor

      The image on the left is of the malicious Nullsoft installer and the one on the right is the dropped Cabinet Installer, which contains the payload.

    2. Another sample (SHA1: 114926b7c49cc59eb407f8aedd36e7a38592e629) uses a WinRAR self-extractor, rather than a Nullsoft installer, that installs the backdoor silently.
  2. Known protectors and packers used maliciously by the malware:
    1. Another sample (SHA1: 0b83e7a0062f42fa238621e9640c4dcdc6bddfe7) uses a commercial protector (Themida – the malware author is using a pirated license) to evade detection. It arrives with the following icon and the file name "winfuntion.exe" in the Windows folder:

      winfunction.exe

    2. Another sample of Backdoor:Win32/Fynloski.A (SHA1 04e0ec8d4d8dbf109009e4acda26b4b32e69fcb3) is packed with a variant of MoleBox, another commercial packer. It uses a slightly modified backdoor that can detect monitoring tools such as Wireshark, sandboxes, and other virtual environments, as well as security solutions installed in the computer. It can also perform distributed denial-of-service (DDOS) attacks on specific targets.
    3. The last sample in this category (SHA1:e3d47ccbdf09d96a3c06ad8878900d87e8b1521f) is a variant that uses the Armadillo protector. In this instance, the protector is likely modified from the standard version.
  3. Custom dropper and injector tools employed by the malware:
    1. One sample (SHA1: bd2313bed774d4804de7e2ce65a9820c81a91c73) is an MSIL dropper of Backdoor:Win32/Fynloski.A . It uses the Notepad icon and has random Version Information:

      Notepad icon with random version information

      It encrypts the payload (the backdoor) several times with a known encrypting algorithm. This is how the first layer looks like:

      base 64 encoding

      If you've ever used or seen base64 encoding before then you'll recognize it instantly from the picture above.

      The dropper for the malware decrypts the encoding; the result is a file that is similar to the original dropper. There goes one layer, but there are more. This specific sample has four layers and the backdoor is packed using standard UPX, probably because of size constraints.

      We have also seen samples that have seven layers of base64 encoding and use another injector after the decryption. The injector is written in Visual Basic, and starts another protector for the backdoor. That seems like pretty paranoid behavior, but nonetheless it is detected by our security solutions as Backdoor:Win32/Fynloski.A.

    2. Another sample (SHA1: 2b6ee717b77e668670390ff6ec99aa6d65544e43) is an injector again written in Visual Basic, which decrypts the payload from the process "explorer.exe" into which it injects itself.
    3. The last sample (SHA1: 43f6ba0a9e48a579c46e552a875d46b15eeceae2) is a dropper written in C++, and has a similar payload to the others mentioned above.
Payload: A stolen surprise

The common thing about all the Fynloski samples we've seen so far is that they all have the same payload. But it isn't their own payload; they just maliciously use components of a certain remote administration tool (RAT). The author(s) of the tool have posted a license agreement on the tool's website, and only after one accepts it can one gain access to the binaries. Below is a screenshot of the disclaimer:

RAT EULA

Unfortunately, the clause "I promise I will never use this tool as a virus" is abused most of the time, especially since it is not enforced. Keeping such promises isn't in the malware writer's code of ethics, if they even have any, but nonetheless the last statement of the disclaimer is the author's attempt to avoid prosecution by law enforcement. However, we give juries more credit than that and think they will see through such an attempt.  

As for the malware payload, it hasn't changed that much over time (the earliest samples we have are from 2009, and they have had pretty much the same payload since then), but the authors have steadily added new features and fixed bugs. The backdoor has the usual standard traits. It gains access to almost all of the resources and information on the affected computer, monitors keystrokes, steals passwords, downloads and runs files, uploads files, and disables security attributes. But it's also worth mentioning that it even has some features that look like they've been taken straight out of the movie "Hackers":

  • Capture video from the webcam
  • Record sound produced by the computer
  • Type text on the screen
  • Control the clipboard
  • Control the mouse, including the clicks
  • Hide the operating system's default screens and windows
  • Set a custom background
  • Display a message box
  • Open and close the CD-ROM drive door

By all the powers combined, we get a backdoor variant that can do almost everything that we see in the movies: change your desktop to, let's say, skulls, hide everything from the desktop, type some messianic text on your screen, record sounds and even play with your CD-ROM drive door. Seems like something out of a movie script with hackers or script kiddies, doesn't it? These kinds of features are presented, among others, in the tool's website under the heading "Fun functions".

Let's also take a look at one more backdoor sample (SHA1: 356ae1c3a710dc5e392b7a3fe1a2eea6de6df086), which is actually an older installer we first received in August 2010. It's written in Delphi, has a user interface, and installs the application with this EULA, which is pretty straight-forward and taken directly from the tool's EULA:

RAT EULA

Basically, this is a full blown backdoor waiting to be used and all that it needs is a way of getting on the user's system. To achieve this, malware authors use multiple methods of tricking the user and security solutions, by employing some well-known mechanisms, as we have seen.

The malware discussed above shows how complex malicious software can get and the lengths that bad guys go through in the battle between them and providers of security solutions. Even some tools that don't set out to be used "as a virus" can be employed, however inadvertently, by malware authors. But no matter how much malware tries to avoid detection by legitimate antivirus software, it will still be effectively countered by resilient and proper security solutions such as Microsoft Security Essentials and the Microsoft Security Scanner. Backdoor:Win32/Fynloski.A is a perfect example of this.

Daniel Chipiristeanu - MMPC Munich