
An onion of obfuscation - blasdel
http://arcanesentiment.blogspot.com/2010/01/onion-of-obfuscation.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+ArcaneSentiment+%28Arcane+Sentiment%29&utm_content=Google+Reader
======
mcantor
I'm a little confused. He says that it's a phishing attack and not a virus,
but isn't the eventual payload an executable that does lots of dark win32
magic? I kept expecting him to describe how it launches your browser to a fake
bank login site. Just curious... did I miss something?

~~~
angelbob
He thinks it's for replacing a bit of your browser and doing phishing that
way, based entirely on the symbols the executable imports. So it's a guess,
but a semi-educated one.

~~~
mcantor
I'll capitulate, but only if we get to subsequently call it a "phirus".
(Though I suppose the lack of self-replication precludes calling it a virus.)

~~~
inshallah
_by chance it appeared to come from someone who has previously written to me_

To me, this suggests a viral nature of the attack.

------
bigmac
I'd be interested to know which steps of the packaging process were done
automatically. Presumably these two could be automated in a straightforward
fashion:

 _Embedding a script in a command via cmd /C ... & ... & ... (twice)_

 _Generating a script and then running it (four times)_

The call to isDebuggerPresent in the final payload executable would be about
zero inconvenience to a malware analyst. The sophistication of the packing
makes me think there are probably other antidebug techniques present.

------
netghost
I was hoping that an onion was the name for a group of obfuscations as per
<http://www.futilitycloset.com/2010/01/03/a-field-guide/>

