The Trojan downloader, called Win32/Nemim.gen!A, is the latest example of how malware writers are using sophisticated techniques to protect their own trade secrets. The Trojan essentially makes downloaded component files irrecoverable, so they cannot be isolated and analysed.
“During analysis of the downloader, we may not easily find any downloaded component files on the system,” Jonathan San Jose, a member of Microsoft’s Malware Protection Centre, said in a blog post.
“Even when using file recovery tools, we may see somewhat suspicious deleted file names but we may be unable to recover the correct content of the file.”
Microsoft managed to grab some components as they were being downloaded from a remote server.
The malware’s two purposes was to infect executable files in removable drives, and to unleash a password stealer to snatch credentials from email accounts, Windows Messenger/Live Messenger, Gmail Notifier, Google Desktop and Google Talk.
Typically, downloaders’ only job is to deliver the core malware. In this case, the downloader delivered the malware and continued to be an integral part of the operation.
In general, malware has become better at remaining under the radar. Some of the stealthiest malware is used in advanced persistent threats (APTs) targeted at specific organisations.
“Malware that covers its tracks to prevent the security community from developing quick defensive signatures is the norm today,” said Paul Henry, a forensic analyst for Lumension.
For sometime, criminals have developed malware that can sense when it is in a virtualised workstation commonly used by researchers to isolate and study malicious code. When it is in such an environment, the malware will enter a dormant state, so it cannot be easily discovered.
Other malware inserts its malicious code in system memory, never leaving a trail in the infected computer’s registry or hard drive, Henry said.
“Your grandfather’s security solutions will leave you utterly defenseless against today’s evolving threats,” he said.