New Version of Alureon Ups the Ante on Encryption

2011-05-16T14:39:09
ID THREATPOST:22B958BD4D2B41FAFF368AAE114675CA
Type threatpost
Reporter Dennis Fisher
Modified 2013-04-17T16:34:33

Description

A new version of the venerable Alureon malware has appeared, and this one includes some odd behavior designed to prevent analysis and detection by antimalware systems. However, this isn’t the typical evasion algorithm, as it uses some unusual encryption and decryption routines to make life much more difficult for analysts and users whose machines have been infected.

Alureon is a well-known and oft-researched malware family that has some rootkit-like capabilities in some of its variations. The newest version of the malware exhibits some behavior that researchers haven’t seen before and which make it more problematic for antimalware software to detect it and for experts to break down its components.

Researchers at Microsoft took apart the newest version of Alureon and found that the malware now uses what is essentially a brute-force attack to decrypt its own encrypted components.

“A particular set of files was taking longer to exhibit malicious
behaviour than others. We started looking for why this was so, and ended
up with a blast from the past. This time the malware was using
Win32/Crypto-style decryption to elude anti-virus scanners,” the researchers said.

“The decryption function keeps a record of all previously tried keys to
avoid using the same key over and over again and so running for an
exceptionally long time on a user’s machine. This means that the
function will try at most 255 times before successfully recovering the
key. This magic value used in the last decryption step is previously
retrieved from the header of the encrypted file.”

The Microsoft researchers found that not only did the new version of Alureon employ the encryption and decryption routine, but it also tries to complicate matters by spreading the encrypted data out all over the place.

“Interestingly enough, the encrypted buffer supplied as input for the
decryption function is not found as a contiguous memory region but
instead is scattered throughout the PE’s image, being spread between
code, data, resources, etc. This makes static recovery of the encrypted
file more complicated,” Microsoft’s Marian Radu and Daniel Radu wrote in their blog post on the malware.

Older versions of Alureon, which also is known as TDL and TDSS, have included some other interesting capabilities, as well. A version discovered last November had the ability to bypass the driver-signing protection on Windows 7 and Vista that is meant to prevent malicious code from being loaded at start up. TDL4 was able to do this by changing the applications that Windows will allow to load an unsigned driver.