So, what is the sole purpose of these so called Trojan downloaders - "To download more nasty stuff on the affected machine" (duh again !?) Yes.. much more than that. They are designed to be lightweight, stealth, evade Intrusion Prevention devices and more over give the attacker full control over what gets downloaded when !!
Typically, as soon as a downloader is executed on a system. It will contact a website (generally hard coded domain names) and wait for the response. But unlike a normal webservers response, what actually comes is a list of URL's to download more bad stuff from -
[ Fig 1 - Typical Trojan downloader webserver response ]
So, now the attacker who owns the server can control what gets downloaded on the affected system. He can change the files or links whenever he wants to. All the downloader has to do is fetch all the files listed in the URL and execute them. But thats not all, how about some obfuscation to trick our good ol' Intrusion Detection/Prevention devices (IDS/IPS) !?
[ Fig 2 - Encoded or obfuscated response ]
In what may seem like bunch of garbage characters, is actually a hex coded or obfuscated data to keep the good guys at bay. The webserver in this case gets even more sophisticated, scripting other activities for the downloader Trojan running on the affected machine!
[ Fig 3 - Using image name for downloading ]
Another trick is to use image names for downloading malware. At first it appears to be a harmless image download, but actually is a executable file ! Wireshark is smart enough to detect that its not a image, but can your IDS/IPS do it ?!
Ultimately a whole bunch of crap - from Worms/Trojans to Fake AV programs to malicious .pdf and .swf files can get downloaded on your system. So, be careful and keep your AV's updated, you never know what a small exe could do to your system !
So, now the attacker who owns the server can control what gets downloaded on the affected system. He can change the files or links whenever he wants to. All the downloader has to do is fetch all the files listed in the URL and execute them. But thats not all, how about some obfuscation to trick our good ol' Intrusion Detection/Prevention devices (IDS/IPS) !?
[ Fig 2 - Encoded or obfuscated response ]
In what may seem like bunch of garbage characters, is actually a hex coded or obfuscated data to keep the good guys at bay. The webserver in this case gets even more sophisticated, scripting other activities for the downloader Trojan running on the affected machine!
[ Fig 3 - Using image name for downloading ]
Another trick is to use image names for downloading malware. At first it appears to be a harmless image download, but actually is a executable file ! Wireshark is smart enough to detect that its not a image, but can your IDS/IPS do it ?!
Ultimately a whole bunch of crap - from Worms/Trojans to Fake AV programs to malicious .pdf and .swf files can get downloaded on your system. So, be careful and keep your AV's updated, you never know what a small exe could do to your system !
No comments:
Post a Comment