Malware Uses ZWS Compression for Evasion Tactic
This malware, detected as TROJ_SHELLCOD.A, is an exploit that targets an Adobe Flash Player vulnerability (CVE-2013-5331). The malware is a document file with an embedded Flash file, which has been compressed using ZWS. Released in 2011, ZWS uses the Lempel-Ziv-Markove Algorithm (LZMA) to compress data with no data loss. We now take a look at how this legitimate technique was used by this particular malware.
Figure 1. Compressed malware
Figure 1 shows the malware in its compressed form, which allows it to evade detection. To decompress the content, we used a SWFCompression Python script.
Figure 2. The shellcode has been extracted in ASCII form
Figure 3. ASCII shell code
After converting it to hex code, we see a URL that it most likely accesses. Unfortunately, we cannot acquire the code it is supposed to download as the URL is no longer accessible at the time of analysis.
Figure 4. Binary shellcode
Loading the code into a debugger software produces the following outcome.
Figure 5. Code execution
As you can see in Figure 5, this malware uses a different approach for executing its payload. Typically, malware is often downloaded and executed, which means a physical copy of the malware is dropped in the infected machine. This allows security solutions to detect the malware.
However, this particular malware allots memory using VirtualAlloc and executes it, acting like a backdoor. Doing so makes it harder to trace the routines of the malware as there is no physically dropped file; instead the payload is copied directly into memory. This is the reason why this malware is able to evade most security solutions, even those that support ZWS compression.
We urge users to regularly install security updates as soon as they are made available. These patches can mean the difference between protection and infection. For example, the vulnerability used in this attack was patched by Adobe in December 2013.
Trend Micro detects all threats related to this attack.