In this section

• Home
• Security
• SophosLabs blog
• 2008
• 04

• Analyses
• SophosLabs
• SophosLabs blog
• Spyware and adware
• Top 10 malware
• Hoaxes
• Technical papers
• Email notification
• Best practice
• White papers
• Web seminars
• Podcasts
• Hot topics

4 April 2008 08:50 GMT

Evasion through (self) Injection II

Fraser’s article Evasion through Injection outlined how and why malware employs injection to evade runtime detection however a different style of self injection or loading is also being used to avoid detection on disk.

The basic concept is that of a letter-envelope idiom, where a generic envelope is used to deliver a third-party malware component to the compromised computer. The difference between a regular dropper though is that the delivered component is never written to disk in an attempt to avoid On-Access scanners.

Troj/Agent-GUP is one example of such a letter-envelope which begins by decoding the loader code (the “envelope”) which then decrypts an embedded executable (the letter )

Now instead of injecting the executable into another process, it simply hooks up the imports and transfers execution to the guest’s entrypoint.

A similar example of this technique is used by Troj/EncLoad-A and although this technique is not new it does indicate the various techniques being used by malware authors to avoid detection both on disk and in memory.

Pete, SophosLabs AU

• Bookmark with del.icio.us
• Submit this story to digg
• Submit this story to slashdot