Previously this year, we came across a downloader (win32.exe) that is making some effort in hiding its traffic. The downloader is making GET requests to files, such as search.jpg, winlogon.jpg, tibs.jpg and tool.jpg. Using tools like chaosreader and foremost to extract the files, you would find out that these files indeed are valid images (like the one shown to the left in this post).
However, if we look more closely, we find that these files has something more interesting appended past the JPG data. Below is a short video showing what’s inside winlogon.jpg.
This downloader was found on hightstats dot net, which, at that time, resolved to 188.8.131.52 (AbdAllah Internet, TR) – whose netblock is very well known for its malicious hosting. At the time of this writing, the domain resolves to 184.108.40.206 (Net Access Corporation, US) and is still serving these files. We’ve also seen this kind of obfuscation before, then with the image of a green frog – McAfee has mentioned this on their blog.
Now, what winlogon.jpg (..or the executable inside it) did, was to install BraveSentry, a rogue anti-virus/spyware product that claims to have found malware on your system in order to trick you to purchase their product.
This is not a new obfuscation technique, but it seems to be a characteristic for this group of spyware creators, that are pushing these rogue security programs.