Recently, we discovered a threat that abuses the Encrypting File System (EFS), which Symantec detects as Backdoor.Tranwos. Not only is it trivial for program code to use EFS, it’s also very effective at preventing forensic analysis from accessing the contents of the file.
The threat creates the folder %Temp%\s[RANDOM ASCII CHARACTERS] and then calls the EncryptFileW API in order to encrypt the folder and all files and folders subsequently created in the encrypted folder will be encrypted automatically by Windows. The threat also copies itself as the file name wow.dll in the folder and then modifies the Characteristic attribute of the PE header in order to change to a DLL file.
Figure 1. Creates folder and encrypts it
In some cases, security researchers may use another operating system, such as a version of Linux bootable from a removable drive, in order to retrieve malicious files from a compromised computer. This method is useful when retrieving files from a computer compromised by a rootkit. However, it’s impossible to get the file wow.dll by this method because the DLL file is encrypted on the EFS.
A user account that executes this threat can see the contents of the file and change the status of the encryption. As this threat makes it impossible for researchers to use forensic tools, as we normally would, we have to manually execute the threat on a test computer to gather the contents of the file. The purpose of this threat using EFS is only to prevent forensic analysis from retrieving the contents of itself.
Figure 2. wow.dll file path
After executing this threat, Explorer shows the folder and the file in green as it has been encrypted.
This threat has the functionality to vary command-and-control servers according to a command it may receive from the remote attacker through the back door it opens. It also has the functionality to download more malware onto the compromised computer. Symantec will continue to monitor this threat and report if anything new is discovered.
The best way to stay safe from this threat and others is to keep your antivirus definitions, IPS signatures, and firewall rules up to date.
The McAfee Threats Report for the first quarter of 2013 highlighted a noteworthy increase in the number of Koobface malware samples on record. This data point is based on the number of unique malicious files associated with the Koobface family, and is generally one indicator of active malware development. Besides the number of changes made to a malware’s code base, sample counts can also be influenced by repacking of the same underlying code (a common evasion tactic used by malware distributors), garbage data or junk instructions added to binaries, and other forms of server or client polymorphisms (such as self-modifying code or web server scripts that result in a unique binary being served with each download). Another complication arises from what is often called a cocktail, in which a parasitic virus inhabits a host file that is itself another piece of malware.
These factors led to our Koobface statistics being off by a large margin. The corrected data below shows Koobface on a continuing decline since Facebook published its landmark post “Facebook’s Continued Fight Against Koobface” nearly a year and a half ago.
We apologize for the error.