Classic computer viruses, which write their malicious code in executable files that are already on the system, have become less important since the turn of the millennium. In the meantime, they no longer play any significant role in daily malware, and the term "virus" is primarily used as a synonym for malware in general.
However, malware analysts from the security software company Kaspersky have made an unusual discovery: a malware targeting Windows systems that is in the wild and uses classic file infection techniques to spread it.
All-round talent with a focus on data theft
However, "KBOT", although classified as a virus by Kaspersky, is a fairly modern all-rounder. As the name suggests, it integrates infected computers into a botnet. It can receive commands (such as to delete or send files) from remote command-and-control (C2) servers and reloads expansion modules and updates, but also stand-alone malware (currently spyware). The execution of an infected EXE file is only necessary once per system, so it only serves as an initial infection.
According to Kaspersky, KBOT currently focuses primarily on the theft of bank, credit and other sensitive data. Thanks to a (very modern) modular structure and the C2 infrastructure, KBOT could also easily move to other "special areas".
Polymorphism and decryption at runtime
Like from one Blog entry of the Kaspersky team with the appropriate title "KBOT: sometimes they come back", the malware initially reaches the computer via the Internet, the local network or external data carriers. When asked by heise Security, Anna Malina, Senior Malware Analyst at Kaspersky, explained that KBOT, unlike described in the blog entry, does not infect all EXE files, but only files on removable media and in shared network folders. In particular, it spares files whose infection could damage the operating system.
Like many of its "ancestors", KBOT uses partly polymorphic code, which looks a little different for every infected file, in order to sabotage signature-based detection mechanisms. It overwrites the beginning of the code section of the respective EXE file and also appends – initially encrypted – code to other sections. Then he overwrites the program code at the entry point of the .exe and installs a jump command to the virus code in the code section. This way, KBOT's code will run when an infected file is launched.
The encrypted code is decrypted at runtime; It includes bot functionality and forms the main module of the pest. KBOT injects this code into ongoing system processes in order to fly under the radar of various detection mechanisms. He also takes numerous other precautions to anchor himself permanently in the system, to be executed again every time the system is started, and to hide himself from the user along with any reloaded files. Interested parties can find out how exactly this works from Kaspersky's detailed blog entry.
Expandable technology or pure nostalgia?
Given the multi-faceted hide-and-seek game that the malware runs, according to Kaspersky's blog entry, its relatively clumsy approach to file infection is surprising. Because the files infected by KBOT do not retain their original function. "After starting the file, the user sees no result of the start, (…) the harmful functionality is invisible to the user," Malina told heise Security.
There are infection techniques that do not affect the original functionality of executable files. Earlier viruses solved this, for example, by adding their code to the end of the file or writing it in NULL bytes between the sections. Minimal patches in the original program code were then sufficient to be able to execute malicious and original code in succession – unnoticed by the user. It was often even possible to largely clean up the files again. "The creators of KBOT have apparently decided not to focus on this aspect," said Malina.
In view of the otherwise well-thought-out procedure, it seems possible that the pest will learn a few tricks from its ancestors in upcoming variants. Or that its makers – like so many before them – refrain from the virus strategy again. At the current stage of development, the apparently "broken" EXE files as infectious relics of KBOT's cover are likely to be more of a hindrance than useful.
. (TagsToTranslate) Kaspersky (t) malware (t) malicious code analysis (t) Virus