Sunday, October 8, 2017

This is probably important

So, last week, I was looking at a bit of malware that was posting to gmail.com/upload.php. This was obviously a non-existent url, so I was wondering ... why?

In the fulness of time, with a bit of help from some friends, I came to understand that it was only pretending to write to gmail.com/upload.php, and it was just trying to cover its tracks. This was a Dimnie variant, with a great write-up here. (Thanks Kevin. You know who you are.)

There was this write-up, and another by Symantec at about the same time, and the nub of the matter are these points:

(1) Dimnie had been around for a few years by the time it was finally noticed in March of 2017. This means it is subtle.
(2) Dimnie achieves persistence by injecting itself into running processes. It would probably go away if the computer was rebooted, but that doesn't happen often.
(3) The versions that Paloalto and Symantec saw seemed to surveil the target. They looked for what processes were running, possibly for extra vulnerabilities, that might be used later. This means nothing, right?
(4) Initial versions installed a keylogger, but the framework was sufficiently flexible that anything could be installed. The bottom line here is that if ever you let malware loose on your computer, it is no longer yours. It belongs to someone else.
Think about this...
In my initial tests, only one product blocked it by behavior.
It took three years to be noticed the first time, in March 2017. It doesn't seem to have been seen much since then, and I stumbled on it by accident.
This either means that there have been no new versions since March, or ... given that we know they are subtle, could it be that they are simply changing it every day, as with the other bit of malware that I blogged about earlier? We could well have been missing them since March.

In my opinion, given also that its primary objective sure _feels_ like surveillance, this proves that we must start focussing on non-signature malware detection. Again, I'm not knocking signature scanners... they are vital.... we simply have to do more, and it's up to us testers to focus on testing that, rather than just sigs.

Stayed tuned, folks.

No comments: