anti-analysis


A few weeks ago, our FortiGuard Labs Threat Intelligence system discovered some new suspicious samples as usual. One of these samples caught our attention when we checked its network traffic. For this particular sample, which Fortinet already detects as W32/Foreign.LXES!tr, we found that most of its communication has the HTTP/1.1 404 Not Found status, which should mean that some error has occurred generally. But when we analysed the data further, we realized that it was actually a special trick. The Ping & Pong Commands When it first... [Read More]
by RSS He Xu  |  Apr 09, 2015  |  Filed in: Security Research
A few weeks ago, we received a file that was being spread as an attachment in a spear phishing email. The sample, which we are detecting as W32/Byanga.A!tr, turns out to be a dropper for a bot which, if active in an organization’s system, has the capability to perform malicious activities that can be very damaging to the targeted organization. This post discusses what this particular malware can do. The Dropper The dropper used a Chinese file name, which translates to “Upcoming Events Schedule”.  It also uses a Microsoft... [Read More]
by RSS Margarette Joven  |  Jan 14, 2015  |  Filed in: Security Research
Dofoil, also known as Smoke Loader, is a modularized botnet that has existed for a few years. Since 2013, we have not received any new variants of this bot and the command-and-control (C&C) servers of its previous variants are no longer accessible, making Dofoil seem like a dead botnet. In September 2014, however, we have received a brand new Dofoil variant that carries more features. This blog post will discuss our brief analysis of this new variant, which we are detecting as W32/Zurgop.BK!tr.dldr. New Dofoil? The previous Dofoil botnet... [Read More]
by RSS He Xu  |  Nov 12, 2014  |  Filed in: Security Research
Andromeda is an infamous modular botnet that has been around for several years now. It is very popular in the underground cybercrime market, with many different variants that use different RC4 keys in encrypting and decrypting its network packets. Since the beginning of 2014, we have found that the version number, which can be seen in its network traffic, has turned to 2.08. This new version is very similar to the previous version 2.07. The main difference can be found in the beginning of the codes, which contain Andromeda's anti-analysis tricks.... [Read More]
by RSS He Xu  |  May 19, 2014  |  Filed in: Security Research