Malware Research

Recently, while researching a new bot (GoolBot), we found another Pushdo-like malware spreading with its help. After reversing, it became clear that it was a brand new evolution of the infamous multi-malware loader, for two essential reasons:

• While it used the 2nd generation Pushdo communication protocol (with minor varations), it encrypted its communications and routed them through the SSL port (443); while this encryption looked like SSL at first sight (which would be consistent with the choice of the port), it is actually NOT.

• There is a routine which generates some actual SSL traffic to a list of 339 known websites(legitimate, for the most part), obviously to drawn bot-to-C&C communication in a sea of decoys.

This latter point explains why so many webmasters are reporting that SSL traffic (coming from different IPs) is much higher than normal these days. The good news for them is that the additional traffic is not malicious (application-wise, that is), and the bad news is that an increase of actual viewers is not the cause of it: it’s just some dummy data generated by calls to the QueryPerformanceCounter API in the latest Pushdo evolution.

Memory snapshots (from a pushdo infected machine) below illustrate the former point about encryption:

After encryption (same memory space), just before sending:

Continue reading ‘Pushdo Revolutions: Communication Encryption and Decoy Traffic’ »

First, Let’s take a look at two flow graphics

From Figure 1, we may find many differences between them. The major one maybe is, there is a suspicious circle in FakeAV(Right). but any trained eye will find that they are all packed(Many Fake APIs placed ahead which is a strong characteristics of custom packers). And, we may make a guess, which is, they use different custom packers. But, Do they? Before answer that, let’s try to dig more from GoolBot.

Continue reading ‘Malware’s Wardrobe II – FakeAV and GoolBot, Looks Like They Went To The Same Shop’ »