Dmitry Bestuzhev @KasperskyLab discovered a new type of malware infection method. He found the Encrypted malware is hidden inside the JPEG image file(it hash BMP file structure). After further analysis, he found that attacker used Block Cipher method.
This is what the malicious program looked like after decryption:
By using this technique, the virus creators kill several birds with one stone.
- Firstly, it may cause automatic malware analysis systems to function incorrectly: the file would be downloaded and analyzed by the antivirus program, and given the all-clear; with time the link will be exempted from checks altogether.
- Secondly, the administrators of the sites where such encrypted malicious files are hosted won’t be able to identify them as malicious and will leave them as they are.
- Thirdly, some malware researchers may not have the time or necessary expertise to deal with them. All of this plays into the hands of the cybercriminals.
This is the decryption script for the current status: