Bookworm: Ένα νέο trojan που ανακαλύφθηκε από την Palo Alto Networks uses security software installed on the user's computer to load DLL files required for its installation.
This new trojan was called Bookworm by them researchers from Palo Alto, and has some similarities to RAT PlugX.
For now, Palo Alto reports that the trojan is only released in Thailand.
Regarding its internal structure, Bookworm appears to be part of a new upward trend in vertebrate malware,
The malicious threats it contains begin their installation on the victim's computer in multiple stages to avoid detection. Allegedly, they use a remote C&C (command and control) server to control what components will load onto the victim's computer, based on the target's profile.
The internal architecture of the trojan Bookworm is simple. Many malicious DLLs are encrypted using the XOR algorithm and stack together in a Readme.txt file.
This Readme.txt then works with purely executable DLLs and some other than a self-extracting RAR file, which in turn incorporates the Smart Installer, an application for creating installation packages.
When the installer runs, the self-extracting hardware that discharges the malware from the Readme.txt, clean DLL, and the clean EXE.
But the interesting thing is that after the completion of the preletterduring the installation, it automatically launches the clean EXE that was just created. This executable starts looking for application executables Microsoft Malware Protection (MsMpEng.exe) and Kaspersky Anti-Virus (ushata.exe)..
When it detects them, it loads the clean DLLs into those executables and uses the rights of those applications to install as a Microsoft service.
So Bookworm. has all the permissions it needs to run all the modules in the readme.txt file, and starts communications with the C&C server, adding new malicious files while sending stolen data to the server.
The researchers did not say what other modules were found, as Bookworm is difficult to analyze, as it uses at least four encryption algorithms when communicating with the C&C server (RC4, AES, XOR, and LZO).
