Hello, welcome to the Monday, March 20th,

2017 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Xavier talked about an interesting malware sample on Saturday.

In this particular sample, the downloader actually acts in a number of stages.

And one interesting part here was that part of the initial download was a bitmap file that

turned out to be an obfuscated executable.

Bitmap files, of course, are usually not inspected by anti-malware, so by loading a bitmap onto the system

and then have a fairly benign little script that will decrypt it and turn it into an executable,

you may be able to bypass some anti-malware systems.

And even if it won't work on the endpoint itself, it most

certainly will evade detection on gateways like proxies and the like that are inspecting

code at rest. Another not really new lesson but sort of reinforced by the sample

when it comes to anti-malware is that much

malware is loading multiple pieces off code onto a system and then essentially just hoping that

one of them will not get disrupted by anti-malware so whenever you see the warning that your anti-malware program has found something

malicious on your system and it turns out to be a real malicious sample, you always have to

worry about what else was loaded on the system that your anti-malware has not picked up.

I've seen cases where anti-malware sort of picked up literally

dozens of malicious pieces of code, but eventually one malicious piece that's not being detected

makes it onto the system and then of course causes damage. All of this can be caused by the same

downloader. An interesting paper by researchers at the

...