Saturday, March 18, 2017
Home / Malware / Microsoft Discovers Trojan that hides files to evade analysis

Microsoft Discovers Trojan that hides files to evade analysis

Microsoft has found an remarkably stealthy Trojan able to delete files it downloads in order to keep them away from forensics detectives and investigators.

The Trojan downloader, labeled Win32/Nemim.gen.A, is the most recent model of how malware authors are utilizing advanced techniques to protect their own trade secrets. The Trojan basically makes downloaded component files unrecoverable, so they cannot be isolated and analyzed.

“During analysis of the downloader, we may not easily find any downloaded component files on the system,” Jonathan San Jose, a member of Microsoft’s Malware Protection Center, said in a blog post. “Even when using file recovery tools, we may see somewhat suspicious deleted file names but we may be unable to recover the correct content of the file.”

Commonly, downloaders’ only job is to deliver the core malware. In this instance, the downloader delivered the malware and proceeded to be an integral part of the operation.

“Malware that covers its tracks to prevent the security community from developing quick defensive signatures is the norm today,” said Paul Henry, a forensic analyst for Lumension.

Other malware inserts its malicious code in system memory, never leaving a trail in the infected computer’s registry or hard drive, Henry added.

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

New FastPOS malware targeting Point-of-Sale systems

Experts have disclosed a new category of malware, labeled “FastPOS,” that has the ability to quickly …