- Oct 23, 2012
- 12,527
Botnet creator Dofoil has been silent for the past year, but this year in September a new version has been encountered, featuring significant improvements as far as detection and analysis are concerned.
The malware is designed to create a network of infected computers the attackers can then use for malicious activity ranging from infecting the systems with other threats to stealing information.
Dofoil detects virtual environments and debuggers
Malware researchers at Fortinet caught the new sample of the Trojan and analyzed its new capabilities. One of the first things noticed was that the command for retrieving the list of modules from the C&C server is now encrypted.
The set of modifications in this variant of Dofoil cover anti-analysis measures consisting in detection of a virtual environment and taking action to foil its studying.
“The bot contains several checks to detect if it is currently running in a debugger or a virtual machine. If any of the following conditions are triggered, the bot enters into an infinite loop,” said He Xu from Fortinet in a blog post.
Fake traffic is generated to trick security solutions
Moreover, to fool detection mechanisms that may be available on the system of the victim, the researcher discovered that Dofoil collects a set of legitimate URL addresses from a registry key and sends encrypted packages to them.
This sort of behavior basically masks the malicious traffic exchanged between the threat and its command and control server. Detection of the malware is also impaired, because not all the legitimate servers receiving the fake data respond in the same way (sending an error feedback) and some of them return a normal web page.
Other ways to identify the malware on a computer have to be found, since filtering the traffic based on server response is not a reliable method.
According to the researcher, Dofoil uses the same encryption for all the data sent to a server, meaning that picking clues on which stream is fake and which represents the real communication with the C&C is not possible.
However, once the packages are decrypted, their destination and purpose becomes obvious, allowing identification of the command and control server.
Malware changes attributes to make file appear older
Additional evasion techniques observed in the new Dofoil include a random name for the payload and modification of the attributes of the malicious file. As such, the fresh items are made to appear as if they are old, in an attempt to keep the new variants under the radar.
Furthermore, the threat relies on the double map code injection, a technique designed for escaping the detection of different security tools.
After taking a short look at the new Dofoil variant, the conclusion of the security researcher is that the threat has become “much more dangerous and aggressive than before.”
The malware is designed to create a network of infected computers the attackers can then use for malicious activity ranging from infecting the systems with other threats to stealing information.
Dofoil detects virtual environments and debuggers
Malware researchers at Fortinet caught the new sample of the Trojan and analyzed its new capabilities. One of the first things noticed was that the command for retrieving the list of modules from the C&C server is now encrypted.
The set of modifications in this variant of Dofoil cover anti-analysis measures consisting in detection of a virtual environment and taking action to foil its studying.
“The bot contains several checks to detect if it is currently running in a debugger or a virtual machine. If any of the following conditions are triggered, the bot enters into an infinite loop,” said He Xu from Fortinet in a blog post.
Fake traffic is generated to trick security solutions
Moreover, to fool detection mechanisms that may be available on the system of the victim, the researcher discovered that Dofoil collects a set of legitimate URL addresses from a registry key and sends encrypted packages to them.
This sort of behavior basically masks the malicious traffic exchanged between the threat and its command and control server. Detection of the malware is also impaired, because not all the legitimate servers receiving the fake data respond in the same way (sending an error feedback) and some of them return a normal web page.
Other ways to identify the malware on a computer have to be found, since filtering the traffic based on server response is not a reliable method.
According to the researcher, Dofoil uses the same encryption for all the data sent to a server, meaning that picking clues on which stream is fake and which represents the real communication with the C&C is not possible.
However, once the packages are decrypted, their destination and purpose becomes obvious, allowing identification of the command and control server.
Malware changes attributes to make file appear older
Additional evasion techniques observed in the new Dofoil include a random name for the payload and modification of the attributes of the malicious file. As such, the fresh items are made to appear as if they are old, in an attempt to keep the new variants under the radar.
Furthermore, the threat relies on the double map code injection, a technique designed for escaping the detection of different security tools.
After taking a short look at the new Dofoil variant, the conclusion of the security researcher is that the threat has become “much more dangerous and aggressive than before.”
