Block cipher encryption effectively hides banking Trojan

Brazilian malware peddlers have turned to encrypting banking Trojans with block ciphers, effectively bypassing most AV software.

Kaspersky Lab’s Dmitry Bestuzhev says that he noticed it when he stumbled upon a couple of similarly structured files with a .jpeg extension.

He initially thought that steganography was used, but further analysis revealed that the files were actually bitmap image files and that they contain malware and some other data encrypted within.

“As far as I know, this is the first time [block cipher encryption] has been used by malware writers anywhere in Latin America,” he commented.

Given the effectiveness of this technique, it’s a wonder they haven’t thought about using it sooner. Not only does it sometimes cause AVs to turn up inaccurate results, but files such as these are also difficult to spot for site administrators, increasing the likelihood of them being hosted on a compromised site for a long time.

Bestuzhev expects the encryption algorithm to change following this discovery and his post, as the malware authors behind this particular attack change mirror sites hosting the malware and the actual malicious payload every 2-3 days.