Feeding Packed Malware Binaries

Remember the avvcc.com domain which I mentioned in a previous example of a fast-flux network using the WebAttacker kit two months ago? It’s still up and running this time hosting online gaming accounts password stealer, and the binary is packed using five different packers in exactly the same fashion like the binary obtained two weeks ago. The domain itself is a great example of a fast-flux network, a term coined by the Honeynet Project to showcase the growing complexity and evasive techniques introduced by the malicious ecosystem, on their road to invisibly control, evaluate and manage their malicious campaigns online.

Packed binary obtained two weeks ago :

File size: 205917 bytes
MD5: ef11bed4a5f4d61ad771204d1ec6ac25
SHA1: 6c35869de5ef20b949b3d9f53e111f26f4631569
packers: PECompact, NsPack
packers: ZIP, PecBundle, PECompact

Packed binary as of today :

File size: 76800 bytes
MD5: 17d12aecb7aba82ecc38dd6d2dd3e3b3
SHA1: 439947056d1005ec8738ed19e84bbba043556a2f
packers: PecBundle, PECompact

Both binaries have a relatively high detection rate, but that’s not the point. The point is the ongoing trend of malware embedded web sites, which in combination with a fast-flux network prompts the need for re-evaluating your security policies and preemptive security strategy.

Fast-flux networks graph courtesy of the Honeynet Project & Research Alliance.

Author: Dancho Danchev

Leave a Reply

Your email address will not be published. Required fields are marked *