An onion of obfuscation

mcantor · on Jan 8, 2010

I'm a little confused. He says that it's a phishing attack and not a virus, but isn't the eventual payload an executable that does lots of dark win32 magic? I kept expecting him to describe how it launches your browser to a fake bank login site. Just curious... did I miss something?

bigmac · on Jan 8, 2010

You're correct, the analysis is incomplete without analyzing the payload.

angelbob · on Jan 8, 2010

He thinks it's for replacing a bit of your browser and doing phishing that way, based entirely on the symbols the executable imports. So it's a guess, but a semi-educated one.

mcantor · on Jan 8, 2010

I'll capitulate, but only if we get to subsequently call it a "phirus". (Though I suppose the lack of self-replication precludes calling it a virus.)

inshallah · on Jan 8, 2010

by chance it appeared to come from someone who has previously written to me

To me, this suggests a viral nature of the attack.

tetha · on Jan 10, 2010

I think the correct term would be 'malicious agent', which is a program which does something bad, but we don't know what for now.

bigmac · on Jan 8, 2010

I'd be interested to know which steps of the packaging process were done automatically. Presumably these two could be automated in a straightforward fashion:

Embedding a script in a command via cmd /C ... & ... & ... (twice)

Generating a script and then running it (four times)

The call to isDebuggerPresent in the final payload executable would be about zero inconvenience to a malware analyst. The sophistication of the packing makes me think there are probably other antidebug techniques present.

netghost · on Jan 8, 2010

I was hoping that an onion was the name for a group of obfuscations as per http://www.futilitycloset.com/2010/01/03/a-field-guide/