diTii.com Digital News Hub

Sign up with your email address to be the first to know about latest news and more.

I agree to have my personal information transfered to MailChimp (more information)

Aug262010

Trojan:Win32/Sirefef.M using PNG-to-BMP conversion for obfuscating malicious code “Antivirus 2010 Security Centre”

Microsoft researcher reports that they’ve found “that malware authors are using PNG-to-BMP conversion process as a means of obfuscating their malicious code, without any user interaction. Trojan:Win32/Sirefef.M is a highly obfuscated, using multiple layers of encryption and a number of anti-debugging and anti-emulation techniques to avoid detection.

In a sample downloaded by Win32/Oficla, we find a .PNG file underneath one layer of its encryption. When viewed .PNG in an image-viewer, it displays nothing. Win32/Sirefef.M proceeds to convert this image into a bitmap, which decompresses image, producing more executable code for the trojan to execute.

As part of its payload, Win32/Sirefef.M downloads a portable executable (PE) file from a specific IP through port 8082, which’s simply a resource-only DLL, detected as Rogue:Win32/Sirefef, containing resources such as image files, JavaScripts and HTML files. Using all of these resources, Win32/Sirefef.M reveals its true colors, displaying following fake scanning interface and exhibiting typical rogue behavior, calling itself “Antivirus 2010 Security Centre”:

[Source]

Share This Story, Choose Your Platform!

Get Latest News

Subscribe to Digital News Hub

Get our daily newsletter about the latest news in the industry.
First Name
Last Name
Email address
Secure and Spam free...