SpiderLabs is the security research arm of Trustwave. It was no surprise when Ziv Mador, director of security research at SpiderLabs, received two malware samples from Trustwave’s incident response team and was asked to do a bit of forensics – standard procedure, in fact. Incident response had been called in by a client to investigate a ‘situation’ on a point-of-sale device and had discovered two suspicious-looking files. Mador in was asked to investigate.
The first sample turned out to be Sality, a nasty bit of malware that has been around since 2003. Sality’s longevity illustrates the ongoing battle between malware authors an anti-malware developers – nearly all AVs recognize it, but it’s polymorphic, and by infecting other files, very tenacious. Still, as far as Mador was concerned, job done on the first sample: recognized and classified. The only real and unexplained surprise was finding a mass distribution trojan like Sality on a point-of-sale system: it’s “more of the type of malware you’d expect to see on your Aunt Sally’s computer after she went to some link she saw in an email,” he commented.
The second part, however, was a surprise; because it too was Sality. Only it wasn’t. Mador ran it through a variety of anti-malware engines and they all said it was Sality. But it looked nothing like the first sample, and showed evidence of being targeted rather than mass distributed. Sality has never shown evidence of being used in targeted attacks; but targeted is what he would expect to find on a point-of-sale system. For a moment he thought he’d discovered a new and targeted version of Sality.
But Mador hadn’t. What he’d found was a new and so-far undetected targeted banking trojan that had been infected by the first Sality sample. Because the AV engines could not detect the banking malware, all they could see was the Sality infection, and reported it as Sality. Were it not for that infection, the banking malware would still be unknown and undetected. Virus on virus.
Mador couldn’t tell Infosecurity much about the banking trojan because of the sensitive nature of client confidentiality and the involvement of law enforcement in ongoing investigations.