Microsoft has found an remarkably stealthy Trojan able to delete files it downloads in order to keep them away from forensics detectives and investigators.
The Trojan downloader, labeled Win32/Nemim.gen.A, is the most recent model of how malware authors are utilizing advanced techniques to protect their own trade secrets. The Trojan basically makes downloaded component files unrecoverable, so they cannot be isolated and analyzed.
“During analysis of the downloader, we may not easily find any downloaded component files on the system,” Jonathan San Jose, a member of Microsoft’s Malware Protection Center, said in a blog post. “Even when using file recovery tools, we may see somewhat suspicious deleted file names but we may be unable to recover the correct content of the file.”
Commonly, downloaders’ only job is to deliver the core malware. In this instance, the downloader delivered the malware and proceeded to be an integral part of the operation.
“Malware that covers its tracks to prevent the security community from developing quick defensive signatures is the norm today,” said Paul Henry, a forensic analyst for Lumension.
Other malware inserts its malicious code in system memory, never leaving a trail in the infected computer’s registry or hard drive, Henry added.