Rodpicom Botnet: Upping the Ante of Chat Malware
Forget drawing your blinds and locking your doors. In the age of social networking, text messaging and instant messenger, you can have access to almost anyone with the click of a button. And, as anyone with a mobile device or a laptop can attest, it is by far more difficult to fend people off than it is to gain access.
This fact is not lost on malware authors, who, by practically all reports, are having a field day. Case in point: Fortinet’s FortiGuard Labs researchers have discovered a new strain of malware that spreads via messaging applications such as Skype and MSN Messenger.
The malware sends a message to the victim with a link to a malicious site that leads to downloadable content. Once the target machine is infected, it checks to see if the victim is using any messaging applications such as Skype or MSN Messenger. It’s stealthy enough to wait until the victim logs in to one of the chat applications before sending a message with the malware link, which the labs dubbed W32/Rodpicom.A.
According to FortiGuard Labs researcher Raul Alvarez, the malware employs a slew of stealth tactics -- including an exception handling technique that generates its own error -- to dodge analysis and make detection a lot more challenging. The evasive malware also relies on an anti-emulator that attacks the heuristic-scanning capabilities in antivirus software and enables its code to jump around several hundred times. The API function names are also translated as binary numbers, which are more challenging to decipher. The malware leverages its own encryption algorithm to further obfuscate malicious code.
Another one of Rodpicom’s talents is linguistics. The malware checks the language of the installed Windows operating system on the computer by scanning the country code and customizing the message sent to all of the victim’s Skype contacts. If the infected computer is sourced to the U.S., for example, the malicious link will send a message “lol is this your new profile pic? http:// goo.gl/[removed]”. However, if the victim computer is from Argentina or any other Latin American country, the victim will receive a similar message in Spanish or Portuguese.
When the user clicks the link, the attack downloads another strain of malware, known as Dorkbot. It is the perpetrator responsible for executing the events that propel cybercriminal objectives: downloading more malicious code, contacting the Command and Control server, spamming and a host of other bot-related activities. It is also responsible for downloading an updated version of Rodpicom.
It’s no secret that botnets have evolved and adapted to a growing audience of threat-wise users. As more users have gotten wind of traditional malware tactics, cybercriminals have tailored new attacks accordingly. The result: a rising tide of advanced and intelligent malware designed to evade detection and trick even the most security-savvy of users.
But the net-net is that the same rules apply when putting best practices into play. For users, this means reconditioning old habits to avoid clicking on links delivered via chat, IM or other messaging applications – even if they appear to come from friends or someone they know.