New Alureon variant improves on old evasion techniques

The Alureon Trojan (also known as TDL, TDSS and Tidserv) has been around since 2007, and it’s function consist mainly in allowing the attacker to intercept incoming and outgoing Internet traffic so that he can collect information such as login credentials and credit card data, but also to allow him to infect the affected system with additional malware.

As time passed, the Alureon family of Trojans has been modified and managed to acquire rootkit capabilities and used a number of techniques to remain hidden from the user and AV solutions.

This time, Microsoft researchers have spotted a variant that uses brute-force attacks against its encryption key to decrypt its components, making it even more difficult to spot and analyze, and for researchers to break down and understand.

“A particular set of files was taking longer to exhibit malicious behaviour than others,” say the researchers. “We started looking for why this was so, and ended up with a blast from the past. This time the malware was using Win32/Crypto-style decryption to elude anti-virus scanners.” Win32/Crypto, the virus from which this technique was poached, was first spotted all the way back in 1999.

“The decryption function keeps a record of all previously tried keys to avoid using the same key over and over again and so running for an exceptionally long time on a user’s machine. This means that the function will try at most 255 times before successfully recovering the key. This magic value used in the last decryption step is previously retrieved from the header of the encrypted file,” they explain.

But that’s not the only obfuscation and evasion technique this new variant uses. It also scatters the encrypted data throughout the code, data and resources, additionally complicating the static recovery of the encrypted file.