Following up on the Packing a punch post, we recently came across a couple of banking targeted attack Trojans that use interesting signature-based detection evading techniques.

There's packers (UPX, FSG, etc.) and cryptors or protectors (ASProtect, SWPK, Armadillo, Themida, etc.). These last ones are widely used by legitimate software publishers to protect their applications from being cracked by pirates. Crackers create generic tools to un-protect software applications and, just as with malware, crackers and software publishers are on a constant cat and mouse race to crack and avoid cracking.

The first Trojan we'll look at uses regular and known packing techniques. By investigating different downloader variants which the Trojan uses to update itself, we found a point-and-click utility with runtime-packing functionality to create additional Trojan downloader variants that evade detection.

The user only needs to type in the URL where the downloader should get the Trojan from, choose the runtime packing technique of choice from a drop-down box (or add a custom one) and click "Make Downloader…" Voilà, we have a new undetectable Trojan.

Great. Now any regular Joe Blow can point-and-click to create yet more undetectable Trojan downloader variants. We'll be adding a signature which will generically detect any downloader created by this utility.

The next Trojan we'll look at is a bit more advanced. It wasn't picked up or identified by any of our internal tools nor competing AV engines. So by taking a more in-depth look at it we see that there's no visible strings and the entry point is typical of packers… probably a new type of packer? Let's follow the unpacking algorithm with OllyDbg in the video and find out.

After unpacking it manually its size doubles and the strings within become visible. Turns out its a purpose-made runtime packer created specifically for distributing malware that's undetectable by any current AV unpacking algorithms (at least the ones we've checked). The actual Trojan is a targeted attack to users of well known banks and financial institutions, by using brand new techniques to steal banking credentials (I'll show details of these techniques at the eCrime Congress later this month).

In Packing a punch we discussed whether packers should be detected more generically than they are now. There's some interesting points of view and valid arguments from legitimate software developers, but if those are taken into consideration the question still remains; should more unknown packers and packers used by malware such as the ones shown above be detected generically?