Attackers Get Sneakier With Encrypted Malware
Malware just got sneaky! Well, sneakier, that is. Attackers in Brazil have found a way to sneak around antivirus programs by using cryptography.
Recently Dmitry Bestuzhev, Kaspersky Lab's Head of Global Research and Analysis Team for Latin America, was looking over some potentially malicious links from Brazil when he discovered some files with .jpeg filename extensions. At first glance, Bestuzhev thought that they were some form of steganography--the art and science of hiding messages. But upon further inspection, the reseacher discovered that they were actually more like .bmp (bitmap) files, than JPEGs.
The data contained within the files themselves was obviously encrypted and contained some kind of malware; Bestuzhev later discovered that the data was in the form of block ciphers--a cryptographic method that encrypts 128-bit blocks of plain text in to 128-bit blocks of cipher text. Since block ciphers can only be composed of 128-bit blocks, they must break up the message into several blocks and encrypt each one individually. A process called modes of operation allows a cryptographer to repeatedly use block ciphers to encrypt an entire program--or piece of malware, in this case.
Modes of operation can use randomization based on an additional input value making it very difficult for any one program or decryter to be able to decrypt the code. When the file is opened, unencryped code--a decryption script in this case--would then run and execute the decrypted malicious code.
Unfortunately for the Web and its users, most antivirus software relies largely on searching for patterns of data that are alike or similar to its virus definitions. Some more advanced programs use heuristics to identify not necessarily problem code but virus structures based on miscellaneous wildcard characters (not A-Z and 0-9) and extra pointless "padding" code. However, even when a program is using heuristics, your virus scanner may only notify you that it's an untrusted or unknown file.
Even more unfortunate, the wildcard characters could be hidden in another type of seemingly useful file (e.g. .jpeg files) that actually displays an image, and therefore, might not trigger the virus scanner at all. Could it get even worse? Yes, but to my knowledge, most, if not all, virus scanners also are incapable of determining what will happen when the decryption script is run--that is, they don't actually execute the code to find out what will happen.
According to Bestuzhev the virus writers behind this particular attack publishes new mirrors and new variants of the malware about every 2 days, though the encryption code has remained the same so far. This is certainly scary for anyone out there that values their private information, and I just hope that the antivirus software companies can keep up.