I’m glad to announce that Win32:SuspBehav – an advanced heuristic set of detections – is back on track now. It has been in a maintenance mode quite a while because there were some scheduled changes made to the underlying emulator. Following these changes, I was really curious about what the real-world feedback would be and this is what I found:
Wait! There’s a path to the legitimate IncrediMail installation directory. Hmmm, it is either a false positive or something really strange is going on here…..
When I took a detailed look at the two binaries from the report, I found many similarities. Further (dynamic) testing confirmed that they belong to the same malware family. But how is it possible to hide inside an IncrediMail binary? Is it a file infector? Actually yes, in an interesting sort of way. The ImApp.exe binary in this case is not the original one. It is an obfuscated wrapper and the original binary is encapsulated in the layer of encryption somewhere in the program resources (along with a malicious payload). After running the binary, a top-level domain identifier is extracted from Google’s GeoIP and if it matches (.com, .uk, .ca, .au) then a service “C:\WINDOWS\system32\htttpapi.dll” is registered. It also schedules its updating routines through the at command. The service may carry information sent out from the infected computer to the attacker’s data collector as well as inviting further infection modules to the victim PC.
Btw: regular IncrediMail binaries are digitally signed, this one is not, which can help the user in deciding whether to trust it or not. I’m really happy that it is not a FP and that both samples are easily detected by SuspBehav (which is “hidden” behind Small-NSN and Malware-gen detections here, because less heuristic detections are listed first). Both samples belong to the same family, as mentioned above, but surprisingly – VT results for them are quite different:
So, SuspBehav-K (one of the set of SuspBehavs) helped me to group these samples together, even though they might look completely different according to the VT results. That’s nice . Well done, SuspBehav. Well done, Michal. And don’t forget to send some credit to Roman Brezovsky who helped me with the binary analysis (you know, I’m quite busy all the time, thus I really appreciated an opportunity to offload the analysis on to someone else ).
Leave a reply