Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
In the quest to compromise users' systems, malware has always employed different and resourceful techniques to achieve its goals. From using social engineering methods, to abusing legitimate software and its features, to using a design familiar to the user, malware has used every dirty trick in the book to achieve its malicious purpose. As a case study for such behavior we'll take a look at Backdoor:Win32/Fynloski.A and how this malware uses any means necessary to gain access to the compromised system and hide its presence from a security solution.
We have received more than 35,000 samples of Fynloski.A with varying disguises, which we discuss in the following classification. We'll glance over the different methods and disguises that this threat adopts from the whole malware ecosystem.
The following classification lays out the different types of tools and techniques used by the malware to hide and protect itself. The classification goes from the most simple to the most complex (all the samples discussed below are detected as Backdoor:Win32/Fynloski.A):
The image on the left is of the malicious Nullsoft installer and the one on the right is the dropped Cabinet Installer, which contains the payload.
It encrypts the payload (the backdoor) several times with a known encrypting algorithm. This is how the first layer looks like:
If you've ever used or seen base64 encoding before then you'll recognize it instantly from the picture above.
The dropper for the malware decrypts the encoding; the result is a file that is similar to the original dropper. There goes one layer, but there are more. This specific sample has four layers and the backdoor is packed using standard UPX, probably because of size constraints.
We have also seen samples that have seven layers of base64 encoding and use another injector after the decryption. The injector is written in Visual Basic, and starts another protector for the backdoor. That seems like pretty paranoid behavior, but nonetheless it is detected by our security solutions as Backdoor:Win32/Fynloski.A.
The common thing about all the Fynloski samples we've seen so far is that they all have the same payload. But it isn't their own payload; they just maliciously use components of a certain remote administration tool (RAT). The author(s) of the tool have posted a license agreement on the tool's website, and only after one accepts it can one gain access to the binaries. Below is a screenshot of the disclaimer:
As for the malware payload, it hasn't changed that much over time (the earliest samples we have are from 2009, and they have had pretty much the same payload since then), but the authors have steadily added new features and fixed bugs. The backdoor has the usual standard traits. It gains access to almost all of the resources and information on the affected computer, monitors keystrokes, steals passwords, downloads and runs files, uploads files, and disables security attributes. But it's also worth mentioning that it even has some features that look like they've been taken straight out of the movie "Hackers":
By all the powers combined, we get a backdoor variant that can do almost everything that we see in the movies: change your desktop to, let's say, skulls, hide everything from the desktop, type some messianic text on your screen, record sounds and even play with your CD-ROM drive door. Seems like something out of a movie script with hackers or script kiddies, doesn't it? These kinds of features are presented, among others, in the tool's website under the heading "Fun functions".
Let's also take a look at one more backdoor sample (SHA1: 356ae1c3a710dc5e392b7a3fe1a2eea6de6df086), which is actually an older installer we first received in August 2010. It's written in Delphi, has a user interface, and installs the application with this EULA, which is pretty straight-forward and taken directly from the tool's EULA:
Basically, this is a full blown backdoor waiting to be used and all that it needs is a way of getting on the user's system. To achieve this, malware authors use multiple methods of tricking the user and security solutions, by employing some well-known mechanisms, as we have seen.
The malware discussed above shows how complex malicious software can get and the lengths that bad guys go through in the battle between them and providers of security solutions. Even some tools that don't set out to be used "as a virus" can be employed, however inadvertently, by malware authors. But no matter how much malware tries to avoid detection by legitimate antivirus software, it will still be effectively countered by resilient and proper security solutions such as Microsoft Security Essentials and the Microsoft Security Scanner. Backdoor:Win32/Fynloski.A is a perfect example of this.
Daniel Chipiristeanu - MMPC Munich