Dell SecureWorks, the counter threat service that Dell bought in 2011, is reporting on a new outbreak of the malware family STEGOLOADER, which has a different M.O., making it hard to detect. All that persists on the machine in a small loader that downloads the core module. This can be changed easily and might even have the ability to change itself to avoid detection. That is all the anti virus software has to work with.
Once it loads this core module, that module downloads a picture. Yes, a picture. Potentially the picture could be any picture and the picture could be on any web site, including compromised legitimate sites. Inside this picture, using steganography (hiding secrets in plain sight), is the first piece of malware. However, this malware is never written to disk. If you reboot the machine, it just downloads it again.
Now the malware has a beachhead and can download other modules using this same technique. If the anti virus software looks on the disk, there is no new files to scan. If the software scans the downloaded file, all it sees is a picture.
The software is modular and downloads whatever modules it needs. This allows for easy updates each time the core module is reloaded – for example, if the anti virus guys come up with a way to detect it, just morph it to avoid the detection.
The data (malware) that is extracted from the picture is compressed and encrypted just to make things more fun. While the decryption key is hardcoded, different samples have different keys.
The malware is in constant contact with it’s control server, but those messages are also encrypted. That way the control server can change the malware’s behavior as needed.
The malware can detect if it is being analyzed – like by being run inside a virtual machine – and if so, it just shuts down.
Since it is modular, it can do many things, but one thing that it does do is steal passwords – like email passwords and SSH passwords. Since it is running in memory, in your PC, link encryption like SSL does not make any difference. Any passwords in memory are potential targets.
Trend Micro says that the main targets it is seeing is healthcare followed by finance and most of the infections are in the U.S.
Obviously, in either of these environments, stolen passwords can yield a lot of sensitive information.
This category of malware is difficult to detect, which is why it is becoming popular. If people and companies want to stop this class of malware, it will require some out of the box thinking and the result may require users to make some adjustments. Just part of the evolution of malware.