Self-cultivation of Trojans: The latest variant of the financial malware f0xy, which is quite witty

Self-cultivation of Trojans: The latest variant of the financial malware f0xy, which is quite witty

Security researchers discovered the first f0xy malicious program in January 13, 2015, and then the f0xy infection capability was constantly changing and improved. From the very beginning, they could only infect Windows Vista and Microsoft OS users, later, the variants could infect Windows XP users, but now anti-virus software has been hard to find it.

Understand the malicious program f0xy

The strange name f0xy is derived from its executable file and the special character "f0xy" on the registration key (for example ).

When the malicious program was first developed, it can be detected only by simple anti-virus detection, but now f0xy is very difficult to deal.

It is very interesting that f0xy malware dynamically changes its C & C (command and control) server, he is also good at taking advantage of the transmission service features of Russia's most popular social networking website VKontakte and Microsoft Windows. For example, f0xy will go to the social media website VKontakte to read comments (an encrypted string) under a person's profile, and this comment hides the C & C server URL ...... Too witty.

Clever use of Microsoft Windows features

Once f0xy is implanted on the victim's machine, it uses the Microsoft Smart Transmission Service (BITS) in the background to download the Payload ).

BITS (smart transmission in the background) is a Windows component that transfers files asynchronously at the foreground or background. It adjusts the transmission speed to ensure that other network applications receive responses, file transmission is automatically restored after the computer is restarted or network connections are established.

The f0xy option of the malicious program is very clever, because Microsoft BITS Uses idle network bandwidth for file transmission, so the general anti-virus software cannot find it.

[Refer to the source securityaffairs. For more information, see FreeBuf hacker and geek (FreeBuf. COM)]

This article permanently updates the link address: