A new malware spotted by Symantec is said to have a new technique that abuses the Encrypting File System (EFS) to prevent security researchers from accessing the contents of malicious files.
EFS is a feature provided by windows that let any files or folders be stored in encrypted format. The encryption is specially designed to protect confidential data from attackers but it appears cybercriminals find it as best feature to protect their data.
According to Symantec's Malware report, the malware creates a folder in temp folder and then calls the EncryptFileW API to encrypt all its folders and files. Then it copies itself as wow.dll in the folder.
Since the files are encrypted with EFS, it is not possible for a security researcher to access the wow.dll with the help of another OS such as Linux loaded in removable drive.
However, researcher manually executed the threat on a test computer and gathered the contents of the malicious files.
The malware currently detected as Backdoor.Tranwos by Symantec antivirus is capable of downloading more malware onto the victim's system.
No comments:
Post a Comment