Hello and welcome to the Monday, January 29th, 2004 edition of the Sands and its Storm Center's Stormcast.

My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

Xavier just doesn't get tired of finding new and interesting ways how malware is encoded.

The latest trick that Xavier came across is in the form of a batch files or dot BAT files, these Windows script files.

Well, typically they include like a script by themselves, but in this case, actually, the file just contained comments. Double colon at beginning of the line does

indicate a comment for a badge file. The trick here was that these comments really then included

or represented multiple different payloads that could be extracted from the file.

There was a two-digit indicator as to what particular payload was being encoded in a specific line,

and then a line number.

Now, the line numbers weren't initially sorted, but based on using the line number,

then a PowerShell script or a simple

bash script or whatever can be used to then extract a specific script, decoded, and then

executed.

Sagan took a closer look at the Malver that was extracted from this particular batch file.

It was a connection to a command control channel that used port 443 but was not encrypted with

TLS. So just some simple sort of command control protocol, lots of pinks and pongs, which is kind of typical

to just establish that connection succeeded.

Antivirus total score was pretty low with only one out of 60 antivirus tools identifying

this sample as malicious.

Now we got an interesting issue for users of the routers from Fritzbox.

They're particular popular in the German-speaking parts of Europe.

And I'll link to an article that describes the problems here that is in German,

...