Other issues in this category (38)
Blast from the past
Friday, September 28, 2018
The Adwind Trojan, previously used by cybercriminals to carry out attacks on industrial enterprises all over the world, now incorporates a new set of antivirus-evasion tools.
Of particular concern is the new Dynamic Data Exchange (DDE) injection code feature whose purpose it is to compromise Microsoft Excel and bypass anti-virus solutions.
Attackers send malicious messages as .CSV or .XLT attachments that open in Excel by default.
According to experts, the new method has been implemented for obfuscation purposes. The file does not contain a header that has to be checked — this can confuse anti-virus software which expects ASCII characters to appear in the CSV format.
Instead of trying to detect the file as malware, anti-virus software can simply treat the file as damaged.
In general, obfuscation is when code is made to be complicated; it is a technique whereby parts of a malware program get mixed up within an executable file so that it’s impossible to recover the source code and find a known signature. But, what's a signature got to do with it? We couldn't understand that. Judging from the news post, the cybercriminals are using a common concealing technique.
Simply put: The attackers are putting malicious code in .CSV or .XLT files so that they look damaged. The anti-virus gets scared and doesn’t scan it.
If that were the case, it would be very easy to bypass an anti-virus. For example, cybercriminals can take any file with a known format and break its structure. But, the situation is the exact opposite. An anti-virus should scan all files even if they seem to be irretrievably damaged. That’s why an anti-virus is a multi-purpose unpacker capable of unpacking an archive that no archive extract utility can handle.
To reply to an unasked question: Yes, Dr.Web knows those formats, just as it knows many other formats. It even detects Java.Adwind. Note: Dr.Web anti-virus has been detecting it since 2015! That’s some "breaking" news.
Obfuscation did not help the Trojan ...#anti-virus_scan #Trojan #security #Dr.Web
The Anti-virus Times recommends
Everything old is new again. Unfortunately, we keep encountering the same news posts where only the date changes.
Tell us what you think
To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.