Trojan Hides in Code

Tuesday, September 27, 2011 @ 03:09 PM gHale


A version of the Alureon Trojan was hiding command and control backup locations in regular jpeg files.

The images post on random domains so in case the virus couldn’t contact the primary servers, it would make use of these encrypted addresses.

RELATED STORIES
Malware Hits IE, then Attacks Firefox
Forensics for Stuxnet
New APT Attacks Hit Russia
Iran Creating Counter to Stuxnet

After a period of monitoring, Microsoft researchers were able to determine just how the new Alureon works.

Win32/Alureon is part of the data-stealing family of Trojans. Its multiple functionality allows its master to intercept private data, send destructive commands to the infected device, leaving behind a trail of damaged DNS settings. Keyboard and other drivers might malfunction after an attack from this specific malware.

A closer investigation revealed the new variant downloads an extra component file called com32 and after the researchers were able to un encrypt it they were able to discover its true purpose.

The new element actually tries to communicate with a number of image files hosted on a few blogs. The images contain a string of data interpreted by com32, allowing Alureon to obtain a list of C&C servers which it would then seek to retrieve in the event the primary hosts might become unavailable.

The configuration files masquerade as pictures representing an old woman, a young man and a bowl of Chinese herbs, according to the TechNet blog.

Most anti-virus applications will detect the threat, so in order to protect your device and data, make sure you have an up-to-date virus definition database and a properly configured firewall.



Leave a Reply

You must be logged in to post a comment.