Microsoft finds Trojan that hides files to evade analysis
Win32/Nemim.gen.A highlights sophisticated techniques used to protect malware as a kind of intellectual property
By Antone Gonsalves
April 17, 2013 — CSO — Microsoft has discovered an unusually stealthy Trojan capable of deleting files it downloads in order to keep them away from forensics investigators and researchers.
The Trojan downloader, called Win32/Nemim.gen.A, is the latest example of how malware writers are using sophisticated techniques to protect their own trade secrets. The Trojan essentially makes downloaded component files irrecoverable, so they cannot be isolated and analyzed.
"During analysis of the downloader, we may not easily find any downloaded component files on the system," Jonathan San Jose, a member of Microsoft's Malware Protection Center, said in a blog post. "Even when using file recovery tools, we may see somewhat suspicious deleted file names but we may be unable to recover the correct content of the file."
Microsoft managed to grab some components as they were being downloaded from a remote server. The malware's two purposes was to infect executable files in removable drives, and to unleash a password stealer to snatch credentials from email accounts, Windows Messenger/Live Messenger, Gmail Notifier, Google Desktop and Google Talk.
Typically, downloaders' only job is to deliver the core malware. In this case, the downloader delivered the malware and continued to be an integral part of the operation.
In general, malware has become better at remaining under the radar. Some of the stealthiest malware is used in advanced persistent threats (APTs) targeted at specific organizations.
"Malware that covers its tracks to prevent the security community from developing quick defensive signatures is the norm today," said Paul Henry, a forensic analyst for Lumension.
For sometime, criminals have developed malware that can sense when it is in a virtualized workstation commonly used by researchers to isolate and study malicious code. When it is in such an environment, the malware will enter a dormant state, so it cannot be easily discovered.
Other malware inserts its malicious code in system memory, never leaving a trail in the infected computer's registry or hard drive, Henry said.
"Your grandfather's security solutions will leave you utterly defenseless against today's evolving threats," he said.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.