There are now some pieces of malware downloading not necessarily malicious pieces of code, but small bits of code that can turn into nasty instructions once they are on the target machine.
Researchers at Microsoft found this code when investigating a file that was calling out to the site of a restaurant. The researchers expected the file to be a run-of-the-mill downloader that would pull down a malicious executable hosted on the compromised server and then run that locally. But that wasn’t the case.
Instead, the file was downloading a piece of code that didn’t seem to do much at all at first. Further analysis, however, showed that was just the beginning.
The initial VisualBasic application analyzed turned out to be doing quite a few different things.
“Once the application was run on a machine with a simulated Internet connection, it got the contents of the HTML page of the restaurant website mentioned previously. The application copied itself to the Windows system folder as ‘misys.exe’, and started keylogging, although the static analysis did not indicate this kind of functionality,” Microsoft researchers said.
“So the VB Application is extending its functionality dynamically by downloading and executing x86 instructions in the context of its own process. The ‘downloader’ becomes malware by executing this downloaded blob of x86 instructions. And the downloaded instructions will be not injected to a different process and not dropped to disc, they will be executed in the process context of the ‘downloader,’ thus the ‘downloader’ inherits the malware functionality.”
What the victim ends up with at the finish of all of these machinations is a version of the notorious Poison Ivy backdoor, which has been around for several years and has been in some well-known attacks. Poison Ivy was the malware used in the attack on RSA early last year.
Poison Ivy is one of the malware tools that enables attackers to create their own version through the use of a builder kit with various options. A report on Poison Ivy by Microsoft late last year found, although the tool itself is now about seven years old, it’s still seeing wide usage. Microsoft said in October it removed Poison Ivy from more than 16,000 machines.