A Trojan horse program designed to compromise systems uses the Microsoft Windows' Encrypted File System to scramble its payload and evade detection, warned a researcher at security firm McAfee this week.
The attack tool consists of two main components, a dialer known as Qdial-45 and an encrypted downloader known as Spy-Agent.bf. The dialer disconnects the current modem connection and then dials a premium service for displaying adult content. The downloader uses the Encrypted File System (EFS) to obfuscate itself and retrieves updated content from a list of sites on the Internet.
"The Trojan creates an administrator login account with a random name and random password," McAfee stated on its research blog. "Using this login key pair it then encrypts the downloader component that it drops. It then creates a random service that points to the encrypted file with logon properties of the newly created login and password."
The attack tool is the latest malicious program to use encryption to attempt to hide itself from desktop security software, such as antivirus applications. Last month, security firm Symantec, which owns SecurityFocus, highlighted a virus that uses encryption and certain Windows functions to hide itself. Other malicious code, known as ransomware, use encryption to scramble a victim's file system and only offer the keys to descramble the files if the person pays a fee.
The Trojan was first discovered in early August, but recently there has been a surge in infections, McAfee said.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment