Hello and welcome to the Monday, November 7, 22,

edition of the Sandcent Storm Center's Stormcast. My name is Johannes Ulrich,

and I'm recording from Jacksonville, Florida.

Got a couple interesting diaries from this weekend to talk about, first one by Xavier,

about a new version of these new to

Xavier of Remco's downloader.

This is one of those cases where the downloader has real low virus total recognition, while

the DLL file it's downloading has high recognition.

You may now say, hey, you know, what's the point?

The important, the dangerous part is the DLL.

That's kind of true.

But with the downloader having such a low recognition, that of course means that

an attacker just has to swap out the DLL and can then still use the existing downloader that may be initially

installed on your system.

What may make this particular downloader so hard to detect is in part the use of Unicode and

of course a lot of tools have issues with dealing properly with Unicode.

That's probably something that's going to show up more and more as more and more programming

languages also support Unicode for the actual code.

So that requires that the tools analyzing the code will properly analyze and be able to figure out Unicode characters.

And talking about relatively simple tricks to obfuscate your malware and make it difficult for anti-malware tools to detect.

Guy ran into a malicious executable.

It actually arrived as a .vhd file.

...