Bubnix Uses Interesting Obfuscation Scheme

This month, we added the Bubnix family to the latest Malicious Software Removal Tool (MSRT) release.

WinNT/Bubnix is a complicated spam bot which arrives on an affected computer by way of a downloader, TrojanDownloader:Win32/Bubnix.A. TrojanDownloader:Win32/Bubnix.A is itself often downloaded by variants of Win32/Bredolab and Win32/Harnig in the wild.

Generally speaking, it is common for a malicious executable to be transferred in encrypted form by a downloader. In order to increase the apparent legitimacy of the content,
TrojanDownloader:Win32/Bubnix.A takes this a simple step further. Let us take a look at what the Bubnix downloader retrieves below:

Figure 1. Content retrieved by the Bubnix downloader

Upon cursory inspection, this appears to be a ‘Rar’ archive. In fact, the header is a valid one for a password protected archive. Any attempt to “decompress” the archive will yield a request for the password. This isn’t really a true ‘Rar’ archive. Let us now take a closer look at the downloader itself:

Figure 2. Bubnix downloader code

We can see from this, if what appears to be a ‘Rar!’ marker is found, the key and length are then extracted. This information is passed to a decryption function, where the malicious Bubnix driver is revealed. The highlighted portion in Figure 1. at offset 0x14 is the decryption key.

Beyond simple transformation, there are many and varied techniques used by malware to mask and encapsulate the content of transmissions. Whether it is a malicious binary, command and control directives or sensitive data, there is always something new to examine.

– Scott Molenkamp

Comments (0)