Trojan Frog on the Loose

Here's a trick the traffall.biz (aka iframecash.biz) gang has been using for at least a few weeks. In addition to their usual Internet Explorer exploitation to install downloading downloader trojans (downloading downloading downloaders in many cases), they've been obfuscating some of the traffic by hiding exe files within JPG files. To a network administrator they would see HTTP get requests to traffall.biz/pic/[filename].jpg Which would appear normal (unless you were up-to-date on your bad domain list). And if you were to download the '.jpg' files they would indeed first appear to be just an image of a goofy frog:

Here's a Hex dump of the start of the JPG file:

In the middle of the file, we can see the encrypted executable (the cursor is at the start):

Once the file has been downloaded, the trojan that fetched the file in the first place strips off the image, decrypts the exe, and launches it (and as you may have guessed, the 'it' in this case is yet another downloader). Ironically the trojans that employ this tactic usually download other files that do not use this tactic, so it's less effective in hiding a compromised machine from a network admin. So why else do it? The main reason may be an attempt to slip passed anti-virus and anti-spyware researchers and automated analysis tools. Basic file-type tools will likely see the files as valid JPEGs, which could lead to early dismissal during analysis.

The group behind this remains to be one of the most active spyware creators out there.