Malware and Mutated Malware
In one of our past blog posts we discussed malware and provided solutions to protect your assets. In this post we will be taking a deeper look at the dangerous features of mutated malware.
This year, we have seen an increased use of mutated malware and code injection into legitimate software and websites. This is more of an annoyance because the malware functions are relatively the same, however the signature values are quite different. This is similar to bit flipping on the dynamic random access memory exploits on executables done with much less sophistication. One specific executable we found recently contained Adware and PUP's, due to the functional name, we had to take a second look.
The Adware author had repackaged a legitimate free software with additional functions, signed it with a legitimate certificate, and hosted it on free software download sites. We believe advertising revenue was their motive.
Here are some details:
To view more information click here
The PE imports KERNEL32.dll,USER32.dll, GDI32.dll,SHELL32.dll, ADVAPI32.dll, COMCTL32.dll , ole32.dll, and VERSION.dll ; over kill for a software with limited capabilities. This is indicative of capabilities that can be used to list files, look for sensitive data and attack points, gather information about current OS and protection mechanisms and determine how to orchestrate further attacks.
This executable also imports function used access temporary files to avoid detection, and further spawns new processes for subsequent infection, typically served from a new location on the Internet. The first executable we obtained was detected by many AV engines, subsequent files we saw were mutex of the original sample and it was undetectable and passed as legitimate software. Mutated malware in simple terms is flipping a few bits within a known piece of malware so they can avoid detection on signature- based sensors. Mutex of malware is a legitimate problem, adversaries use this technique to duplicate their purchases from malware authors to maximize their income potential. This trend of serving known malware with proven signatures with mutexes is becoming very popular and traditional solutions that depend on signatures is defenseless, Metamorphic malware is dangerous and polymorphic malware's mutation engine makes it easy. Reputation on all TCP stream IP addresses for this executable are relatively new and do not have a decision point on any lookup system. It's time to reevaluate signature-based network and endpoint protection strategy because it just does not work.