Trojan:Win32/Sirefef.M using PNG-to-BMP conversion for obfuscating malicious code "Antivirus 2010 Security Centre"

Microsoft researcher reports that they've found "that malware authors are using PNG-to-BMP conversion process as a means of obfuscating their malicious code, without any user interaction. Trojan:Win32/Sirefef.M is a highly obfuscated, using multiple layers of encryption and a number of anti-debugging and anti-emulation techniques to avoid detection.In a sample downloaded by Win32/Oficla, we find a […]

Microsoft researcher reports that they've found "that malware authors are using PNG-to-BMP conversion process as a means of obfuscating their malicious code, without any user interaction. Trojan:Win32/Sirefef.M is a highly obfuscated, using multiple layers of encryption and a number of anti-debugging and anti-emulation techniques to avoid detection.

In a sample downloaded by Win32/Oficla, we find a .PNG file underneath one layer of its encryption. When viewed .PNG in an image-viewer, it displays nothing. Win32/Sirefef.M proceeds to convert this image into a bitmap, which decompresses image, producing more executable code for the trojan to execute.

As part of its payload, Win32/Sirefef.M downloads a portable executable (PE) file from a specific IP through port 8082, which's simply a resource-only DLL, detected as Rogue:Win32/Sirefef, containing resources such as image files, JavaScripts and HTML files. Using all of these resources, Win32/Sirefef.M reveals its true colors, displaying following fake scanning interface and exhibiting typical rogue behavior, calling itself "Antivirus 2010 Security Centre":

[Source]