spacer
spacer
spacer
spacer
spacer
Latest blog posts
  • 11.01.12 Tackling Application Security
  • 20.09.11 Cybercrime: Dont become the next headline
  • 28.08.11 Mobile Malware Part IV
  • 24.08.11 Mobile Malware Part III
  • 23.08.11 Mobile Malware Part II
  • 22.08.11 Ring Ring: Mobile Malware calling

Trustwave discovers malware infected with even more malware

spacer
Friday August 31 2012

Trustwave spoke to The Firewall today about some unusual malware which it found in the wild two days ago.

We spoke to Ziv Mador, the director of security research in Trustwave's Spiderlabs, who told us the story. Incident Response identified  two pieces of malware on a point of sale device, and at least one of them was grabbing track data (cardholder data) on the infected system. Mador said: "What started as a typical reverse engineering engagement quickly changed into an unusual scenario where we found ourselves relying on assistance from antivirus software in an unexpected way.

"One sample was very straightforward, as it appeared to be a variant of the popular Sality Trojan family. Trustwave didn’t even have to dig into the file to find it. Sality is an old piece of malware. Some reports date it back to as far as 2003. It has a number of capabilities, but certainly it’s best known is the ability to infect other PE files on the system."

Specifically, Sality has the ability to infect other EXEs and SCRs (Screensaver files).  This file, as expected, dumps a library file (DLL) to the system32 directory, and proceeds to load it with a specific function name.  We can see below a snippet of what I mean, as pretty much every A/V in existence has detections in place for this family: 1

This malware wasn’t something that should we considered part of a targeted attack on a point of sale system. This is more of the type of malware you’d expect to see on your Aunt Mae's computer after she went to some link she saw in an email to buy Peter Parker some new ear muffs.
 
"So it looks like I have a pretty good handle on that particular sample. Certainly malicious, but nothing inside led me us to believe that this sample was targeting track data on the victim. That leads me to sample #2. This sample, unlike #1, wasn’t as straightforward. It had roughly the same number of detections by A/V, all of which indicated that this malware was Sality, just like the first piece of malware. What was unusual about this sample was the fact that it looked nothing like #1. Typically, if it’s a variant of a malware family, you’re going to see some evidence of similarity. In this case, very little "likeness" was seen in this sample when comparing it to the first one. That being said, there was one thing that this malware shared with the first one, both samples dropped the same library file (DLL) in the system32 directory, and proceeded to load it with a specific export name during runtime. Other than that, however, these samples were very distinct."
 
One thing that made sample #2 so unique is that it included evidence that it was malware that targeted track data, which was great news. The problem? Sality was never known to target track data.

One of Mador's team, Josh Grunzweig, said: "This, initially, left me scratching my head. My brain began racing to a number of crazy situations—Did I just discover a brand new variant that targets banking data? Perhaps the author was able to get his/her hands on the Sality source code and was making modifications for a targeted attack against this client? Alas, the answer, as is often found in life, was much more simple. Further inspection of these samples revealed that the second piece of malware (the one targeted track data), had an added section (named ‘srdata’), with some obfuscated data.
 
"It turns out that the Sality family of malware infects other samples. Both the banking malware and Sality wound up infecting this system. The banking malware was most likely the result of a more targeted attack, whereas Sality probably wound up getting placed on there via a more automated method. Perhaps someone was using this box to browse the web, or perhaps another system on the network infected it. It’s hard to say for sure. The funny thing is, once Sality got its hands on the system, it proceeded to infect this banking malware along with everything else.

So what we are left with is malware that is infected with other malware.
 
Trustwave was then able to use one of the many antivirus products at its disposal to ‘disinfect’ its malware. Unfortunately this ‘clean’ malware was no longer caught by any antivirus product.

Trustwave reiterates that all organisations have to use multiple vectors to avoid attack. These include:




Tagged as: malware; anti virus

REGISTER HERE FOR FREE WEEKLY NEWS ALERTS
Related searches:
malware sality trustwave system sample
gipoco.com is neither affiliated with the authors of this page nor responsible for its contents. This is a safe-cache copy of the original web site.