Security News

Trojan uses an old compression format to thwart detection (Sep 19, 2014)

By

The Dell SonicWALL Threats Research team has received reports of a Trojan posing as a fake word document. This Trojan may arrive in the form of an email with a seemingly harmeless compressed file as an attachment. This attachment comes in ARJ file format, which was a popular compression format back in the 90’s, and uses .arj as the file extension. By using a really old compression format, this malicious program can thwart security programs attempting to scan, block or unpack it.

Figure 1: Sample email with the malicious attachment

Infection Cycle:

The Trojan uses the following naming conventions with a .scr or .exe file extension:

  • statmnt_yyyy-mm-dd_*random digits*.scr
  • infraction_yyyy-mm-dd_*random digits*.exe
  • order_yyyy-mm-dd_*random digits*.scr
  • runout_yyyy-mm-dd_*random digits*.scr
  • termnate_yyyy-mm-dd_*random digits*.exe
  • sale_yyyy-mm-dd_*random digits*.exe

Once executed it drops the following files:

  • “%TEMP%/sale__*random digits*.rtf (a harmless document file)

It then displays the contents of this document by executing the following commands:

  • PROGRAM FILESMICROSOFTOFFICE11WORDVIEW.EXE [“PROGRA~1MICROS~2OFFICE11WORDVIEW.EXE” /n /dde]

Figure 2: Example contents of the harmless word document

To verify internet connectivity, the Trojan performs the following DNS queries:

Figure 3: DNS query to microsoft.com

The Trojan then establishes a connection to different remote servers and sends out encrypted data:

Figure 4: Trojan connects to remote server sazlar.de
Trojan connects to remote servers: sazlar.de, telasramacrisna.br and powerc214.galaxy-gmbh-service.de

Figure 5: Example of encrypted data sent

Based on the following strings found in the main binary file, this Trojan is capable of downloading additional malware to the victim’s machine:

Figure 6: Hardcoded strings found in the main executable
Trojan tries to download mine.tar.gz from: sazlar.de, telasramacrisna.br, pinballpassion.fr and necaps.org

These additional malware components were found to be variants of Zbot and are detected as:

  • Mine.exe [Detected as GAV: Zbot.AAD (Trojan)]

And in a true Zbot fashion, this new malware component was found to post encrypted data and send DNS queries to randomized domain names:

Figure 7: ZBot generated DNS queries to random domains

Overall, this Trojan is capable of downloading additional malware into the victim’s machine. It can also send sensitive information out to a remote server.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Sinowal.CF (Trojan)

  • GAV: Sinowal.CF_2 (Trojan)

  • GAV: Sinowal.CF_3 (Trojan)

  • GAV: Vikaslop.A (Trojan)

  • GAV: Vikaslop.A_2 (Trojan)

  • GAV: Zbot.AAD (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Shade Ransomware (Oct 7th, 2016)
HP Data Protector Express Buffer Overflow (Jul 27, 2012)
New ZBot Variant (Feb 12, 2009)
Microsoft Security Bulletin Coverage for July 2023
RIG Exploit Kit (March 9th, 2016)
HP NNM Template Format String Flaw (Jan 21, 2011)
Sony Pictures appeared to have been targeted by a destructive Trojan (Dec 3, 2014)
Netgear ProSAFE NMS300 SQLi Vulnerability