Antivirus software installed on your machine can detect malware, if it knows the signature or can detect the unique pattern for malware. On the other hand, malware attached to an email or downloaded from a website can also be tagged as malicious using heuristic technology.
Some heuristic detection methods involve looking into some readable and printable strings within the file, such as the names of APIs (Application Programming Interface) that can be used for malicious activities. These APIs are not malicious by themselves, but a combination of them in a single executable file can trigger the heuristic detection and flag the file as malicious.
Some heuristic detection methods also use the entropy of the file in order to flag it as suspicious. Entropy is a measure of how the bytes are arranged within the file. A high entropy value tells us that a file is encrypted, which can also trigger heurisitic detection.
We found a new downloader that tries to evade heuristic detection by minimizing the exposure of some important APIs. Moreover, the whole file is not encrypted, which helps to avoid entropy-based heuristic detection. This downloader is detected as W32/Onkod.
Enumerating the printable strings within Onkod shows no sign of API names and no URL links (see Figure 1) that can suggest malicious intent. The only noticeable element is the string “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0“. The said string indicates that it is going to use some sort of browsing or internet activity. We will refer back to this list in the following sections.
The boxed strings will play some important roles in the malware’s execution, as we will show later on.
Executing the Malware
After executing the file, we detected some internet activities which suggest that there should be some internet-related APIs triggered within the code. However, this was not shown in the list of strings.
The internet-related APIs are encrypted, as well as the other APIs needed by the malware. After the decryption, we can clearly see the names of these APIs, including those that the malware uses for its internet connections. These APIs are resolved using the GetProcAddress API (see Figure 2).
After resolving the needed APIs, the malware downloads the file “av.exe” (see Figure 3) and saves it to the %Temp% folder using a 10-numeric pseudo-random filename, such as “4712434768.exe”.
The User-Agent (“Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0”) that was used in downloading the file can be found in the list of strings in Figure 1.
During execution, the downloaded file that is saved to the %Temp% folder is executed. The downloaded file then drops another malware, which is a variant of the FakeAV trojan.
Finally, W32/Onkod displays a message box, which is shown in Figure 4. The title and message can be also found in the list of strings shown in Figure 1.
Below is the fake error message that signifies the completion of the downloader’s process. This is displayed while the FakeAV variant is now running in the background.
W32/Onkod avoids heuristic detection by hiding its suspicious properties. However, digging a little deeper into the code reveals that it is capable of doing more damage into a system once it is able to pass through this layer of security.
If the malware is already running, always be on the lookout for some of its visible symptoms, such as its fake error message and unwanted internet activities.
In order to avoid being infected by these types of malware, always take extreme care when executing normal-looking executable files. Better yet, do not execute any file that comes from an email or from an untrusted website.
Leave a reply