Somebody once said..

"If you convince people that the wheel isn't right, they will allow you to re-invent it"

Friday, September 4, 2009

Strange piece of Malware..

Recently I came across two strange pieces of malware – Win32/Induc.A and Win32/Skytap.A.

Well, you can’t exactly call the first one a malware because it does not do the usual malicious stuff like disabling AV’s, downloading Trojans, stealing data etc.. But it’s very interesting in the way it spreads. Win32/Induc.A is the first of its kind malware that affects Delphi compilers. For those who don’t know Delphi is an object-oriented, visual programming environment to develop 32-bit and Microsoft .NET applications for deployment on the Internet, Windows and Linux. So essentially, any Delphi program complied by a machine infected with this Trojan contains a copy of the Trojan itself embedded inside the program and that is how it spreads !

Now what’s even more interesting is that this smart little Trojan managed to stay undetected for more than a year from all the AV/AS vendors ! In this process, it infected lot of Delphi programs including other Malware ! :) Yes, there are variants of Win32/Bancos – a popular password stealing Trojan infected with Win32/Induc code ! We’re lucky the Win32/Induc doesn’t do anything more than just affecting Delphi compiler otherwise this could have been a whole different story. Now AV vendors claim that this was the very reason for it not getting detected for so long, but never the less, at least the malware authors got a taste of their own medicine :P !

The second malware - Win32/Skytap is again a unique Trojan whose source code was published by a Swiss software developer on his website last month. It affects users of Skype software which is an application popularly used for making voice over IP (VoIP) calls. As you might have already guessed, this Trojan can tap into Skype function calls, extract and dump audio data to files. Not only that, it also converts audio conversations to the mp3 format and encrypts it.

Win32/Skytap.A contains two components: SkyDLLInjector.exe and DLLToInject.dll. These components hook to various Windows API calls that are used in audio input and output. It then is able to intercept all audio data traveling between the Skype process and the underlying audio device making Skype's network level encryption useless ! The extracted audio data is then saved to .mp3 files and can be sent out to a remote website using backdoor component. I am sure we will soon see variants of this Trojan that will adapt to other VoIP/Messaging software as well.

Now that’s some interesting stuff I have come across after a long time :) !

No comments:

Post a Comment