New Trojan Downloader Covers Tracks, Hard to Detect

Security researchers have discovered a new type of Trojan downloader capable of covering its tracks by deleting the files it downloads. That makes it harder for security experts to find and remove the downloader.

The downloader, which is called Win32 / Nemim.gen!A, shows how malware writers are producing progressively more sophisticated tools. By deleting all of the files it downloads and uses, this Trojan makes it almost impossible to recover, isolate, and analyze component files.

Sophisticated Malware Difficult to Confront

According to Microsoft Malware Protection Center researcher Jonathan San Jose, that makes it very difficult for security experts to deal with the Trojan.

"During analysis of the downloader, we may not easily find any downloaded component files on the system," San Jose said in a recent blog post.

"Even when using file recovery tools, we may see somewhat suspicious deleted file names but we may be unable to recover the correct content of the file." (Source: technet.com)

Microsoft says that the Trojan is designed to infect executable files in removable drives. By doing this, it can release a special tool capable of stealing passwords for email accounts, instant messenger accounts, and other services.

This Trojan downloader is also unique because it doesn't just deliver the core malware. Instead, the downloader remains a critical part of the operation even after a system has been infected.

Malware Artists Covering Their Tracks

According to Lumension forensic analyst Paul Henry, this is just another example of the unique steps being taken by malware artists to hide their tools from security researchers.

"Malware that covers its tracks to prevent the security community from developing quick defensive signatures is the norm today," Henry said. (Source: pcworld.com)

Indeed, just last week I reported on Trojan tool 'Trojan.APT.BaneChant,' (popularly known as 'BaneChant'), which tracks a user's mouse usage in order to evade automated antivirus systems.

Overall, it's clear that security professionals will need to adapt to changing circumstances.

"Your grandfather's security solutions will leave you utterly defenseless against today's evolving threats," Henry said.