Downloaders Changing Their Spots

By Matthew Hines  |  Posted 2009-06-09 Print this article Print

Lest one should think that Trojan downloaders are getting long in the tooth, in terms of the variety of techniques used to hide their intentions or deliver their code, security researchers report that attackers are still creating innovative new methods to keep their programs under wraps until they are called into action and to ensure effective infection.

According to a research note posted by Sophos expert Mike Wood, authors of newer Trojan downloaders continue to flex significant muscle in terms of cooking up tactics to hide their threats even as more security programs are being designed to search for anything fishy that might indicate a potential attack.

For instance, in the case of a threat dubbed Troj/FRuWL-Gen, the attack not only employs a range of different techniques for cloaking its activities, but also uses some "intriguing" methods to ensure that its payload is going to stick before eventually deleting itself.

According to Wood, the Trojan attack has two exported functions, one that handles the download of the eventual attack itself, and, interestingly, another that watches that process and tests to make sure that the payload has indeed been passed along to the involved device appropriately. The separation of duties makes the attack even harder to detect, and to stop, he said.

"Unlike a normal DLL function export address which points directly to the function's code, the exported dropper function address instead points to yet another address which leads to the actual dropper code. This adds yet another layer of obfuscation for the use of the DLL to potentially thwart some analysis tools," Wood observes.

The researcher also notes that the manner in which the attack attempts to ensure that it is effective in delivering its payload is very persistent and unique.

Instead of merely creating a new file on a computer's disk, it attaches an entire portable executable (PE) file to the affected machine's registry. That file is also hidden under a randomly generated name and tucked away as to seem more innocuous, Sophos reported.

And, in another twist, the involved type of Trojan also uses an "ingenious" mechanism for executing the code that is waiting quietly in the machine's registry files.

Troj/FRuWL-Gen shuts down the Windows System File Checker (sfc.dll) and patches kernel32.dll to run the malicious code on load, which as Wood notes, means that it will be run whenever any process is started.

All the various techniques involved in the attack point to high levels of technical expertise among its creators, which leads Sophos to believe that it was borne of advanced Russian malware gangs.

"The authors of this malware are clearly skilled at assembly programming -- thus it comes as no surprising that we have seen this packaged with other complex malware," Wood said. "But unlike the sexy Waled spam campaigns we have seen recently, with these clear ties to Russian malware and the espionage undertones of DLL-injection into every running process, Troj/FRuWL-Gen is clearly "From Russia without Love." Somewhere Ian Fleming is rolling over in his grave.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel