diTii.com Digital News Hub

Sign up with your email address to be the first to know about latest news and more.

I agree to have my personal information transfered to MailChimp (more information)

Jul152010

Bubnix spam bot added to MSRT uses Obfuscation scheme

Microsoft added “Bubnix” to its Malicious Software Removal Tool (MSRT). “WinNT/Bubnix is a complicated spam bot which arrives on an affected computer by way of a downloader, TrojanDownloader:Win32/Bubnix.A. TrojanDownloader:Win32/Bubnix.A is itself often downloaded by variants of Win32/Bredolab and Win32/Harnig in the wild,” said MSRT.

“it’s common for malicious executable to be transferred in encrypted form by a downloader. In order to increase legitimacy, Bubnix goes further. Upon cursory inspection, this appears to be a ‘Rar’ archive. In fact, the header is a valid one for a password protected archive. Any attempt to “decompress” archive will yield a request for password. This isn’t really a true ‘Rar’ archive. Let us now take a closer look at downloader itself (pic 2). We can see from this, if what appears to be a ‘Rar!’ marker is found, the key and length are then extracted. This information is passed to a decryption function, where malicious Bubnix driver is revealed. The highlighted portion in Figure 1. at offset 0x14 is the decryption key,” explains Microsoft.

[Source]

Share This Story, Choose Your Platform!

Do NOT follow this link or you will be banned from the site!