Information Security all in one place!

Trojan downloader is a problem for virus scanners

Kaspersky Lab E-Store

The Microsoft Malware Protection Center has found a trojan downloader that does not have any suspicious routines in its initial state and is therefore difficult for virus scanners to detect. Once it has been started, the small Visual Basic program loads a web page for a Tibetan restaurant. The HTML for this site hides shell code that the program then downloads into RAMand executes.

Virus logo.

Although the executable file, which Microsoft has labelled TrojanDownloader:Win32/Poison.A, only produces an error message on a computer not connected to the internet, once the malicious code has been successfully run it copies itself into a system folder and from there begins to keylog.

A modern virus scanner’s behaviour monitoring system should be alerted at this point. The spying functionality that is downloaded once an internet connection is present comes from the free “Poison Ivy” trojan builder tool, which can provide the payload directly as shell code.

Normally, a downloader pulls an executable file from the internet, saves it on the disk, and executes it – activity that should alert a virus scanner’s behaviour monitor. This example once again shows how important it is to install a virus scanner with a behaviour monitor.

Related Atricle – https://blogs.technet.com/b/mmpc/archive/2012/01/24/a-different-breed-of-downloader.aspx?Redirected=true
Kaspersky Internet Security 2011

Advertisements

One response

  1. That seems rather odd. Shouldn’t the AV see the routine that calls for the download & execution of miscellaneous files as being out of the ordinary?

    February 1, 2012 at 2:58 AM

Let's hear what you have to say.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s