Microsoft researcher reports that they’ve found “that malware authors are using PNG-to-BMP conversion process as a means of obfuscating their malicious code, without any user interaction. Trojan:Win32/Sirefef.M is a highly obfuscated, using multiple layers of encryption and a number of anti-debugging and anti-emulation techniques to avoid detection.
In a sample downloaded by Win32/Oficla, we find a .PNG file underneath one layer of its encryption. When viewed .PNG in an image-viewer, it displays nothing. Win32/Sirefef.M proceeds to convert this image into a bitmap, which decompresses image, producing more executable code for the trojan to execute.