• Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg
  • Delicious

Anti-Malware Laboratory

Yet Another Malware Blog

About

An informal blog from your friendly neighborhood software security humans.

Blog Archive

  • ►  2015 (5)
    • ►  October (1)
    • ►  August (2)
    • ►  May (1)
    • ►  March (1)
  • ►  2014 (8)
    • ►  October (1)
    • ►  July (1)
    • ►  June (1)
    • ►  May (4)
    • ►  April (1)
  • ►  2013 (12)
    • ►  December (3)
    • ►  November (5)
    • ►  August (2)
    • ►  March (2)
  • ▼  2012 (35)
    • ►  April (4)
    • ▼  March (12)
      • NSA Mobility Program
      • The 2012 Cyber Defence University Challenge
      • Double Winrar self-executable archive packed Fakeav
      • Fake Skype Vouchers website leads to Java Exploits
      • AV-TEST Report on Android Anti-Malware Solutions
      • Justin Bieber Facebook Spam
      • Fake Intuit Quickbooks Page Leads to Black Hole Ex...
      • AXMLPrinter2
      • Black Hole exploit kit
      • CrimePack exploit kit
      • Installing Ubuntu 10.04.1 LTS 64 bit, MongoDB 2.0....
      • Baksmali
    • ►  February (17)
    • ►  January (2)

Categories

adobe (1) android (10) android february (1) baksmali (1) Black Hole (2) crimepack (1) disassembler (1) exploit (3) Exploits (4) Fakeav Winrar sfx (1) Fishbowl (1) flash (1) gift certificates (1) Google Authenticator (1) google play (1) hcp (1) java (1) Malware (5) mdac (1) Mobile (24) NSA Mobility Program (1) obfuscated script (1) pdf (1) Reversing (2) rhino (1) skype (1) smali (1) spam (1) test (1) Unpacking (1) vouchers (1) vulnerability (3)

Popular Posts

  • Bank of America spam: An Analysis
    An email claiming to be from Bank of America lures users to open an attachment that shows how to open secure emails from the bank. The mess...
  • [BE CAUTIOUS] Dragon Ball Z: Resurrection of F MALWARE and SCAM
    Be wary of downloading movies in torrent sites.  Executables can also be executed with a file size as huge as a gigabyte...
  • Unpacking MFC Compiled CryptoWall Malware
    Unpacking MFC Compiled CryptoWall Malware Introduction First and foremost, this article does not intend to analyze what CryptoWall malw...

Visitors to this blog

Sunday, March 18, 2012

Double Winrar self-executable archive packed Fakeav

Posted on Sunday, March 18, 2012 by Red Horse | No comments
Originally posted by marc.

Malware authors have been using packers/compression programs to confuse AV detection engines. Here's one mildly annoying technique that I stumbled upon last week.

Step 1. Pack file with Asprotect packer

Step 2. Create a password protected Winrar sfx archive using the file in step 1.

Step 3. Create another Winrar sfx archive using the file created in step 2, but this time, include the password in the execution script.


Most AV engines will usually have some trouble unpacking password protected files wherein the password is in another compression layer of the file. A quick Virus Total scan shows that this is indeed the case.

Password protected RAR SFX archive
Avast Win32:FakeAV-CYX [Trj]
DrWeb Trojan.Fakealert.29018
GData Win32:FakeAV-CYX
Kaspersky Trojan-Dropper.RAR.Agent.a
McAfee Generic Dropper.ady
Microsoft Rogue:Win32/FakePAV
VIPRE Win32.Malware!Drop

Unpacked file
AntiVir TR/Fraud.Gen
Avast Win32:FakeAV-CYL [Trj]
AVG Suspicion: unknown virus
ClamAV PUA.Packed.ASPack
GData Win32:FakeAV-CYL
Kaspersky HEUR:Trojan.Win32.Generic
McAfee FakeAlert-FCG!F72024F90A24
Microsoft Rogue:Win32/FakePAV
NOD32 a variant of Win32/Adware.WintionalityChecker.AA
Panda Suspicious file
Sophos Mal/FakeAV-MJ
VIPRE WindowsShieldTool

Notice how some AV engines didn't even bother detecting the password protected archive and how the same AV engine detects the same malware with two different names. This usually means that the AV vendor couldn't automatically unpack the file and had the write two different detections, one for the password protected file and one for the unpacked file.

An advantage of this technique is that when hosting the file on hacked servers, or when going through email gateways, there is a greater chance that the file remains undetected, since the file is never executed, and the underlying asprotected file is never revealed.

On a related note, here's a screenshot of a variant of the same malware, except this time with excerpts from Romeo and Juliet included in its winrar script. This is done to change the file hash and give AV detection automation a hard time. The process is most likely automated too, so they could be generating thousands of files containing the same malware with a different file hash with each click of a button.
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Categories: Fakeav Winrar sfx, Malware
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
volute-glacial
volute-glacial
 volute-glacial
volute-glacial
Copyright © Anti-Malware Laboratory | Powered by Blogger
Design by Fabthemes | Blogger Template by NewBloggerThemes.com