Malware Uses ZWS Compression for Evasion Tactic

Cybercriminals can certainly be resourceful when it comes to avoiding detection. We have seen many instances wherein malware came equipped with improved evasion techniques, such as preventing execution of analysis tools, hiding from debuggers, blending in with normal network traffic, along with various JavaScript techniques. Security researchers have now come across malware that uses a legitimate compression technique to go unnoticed by security solutions. This malware, detected as TROJ_SHELLCOD.A, is an exploit that targets an Adobe Flash Player vulnerability (CVE-2013-5331). The malware is a document file with an embedded Flash file, which has been compressed using ZWS. Released in 2011, ZWS uses the Lempel-Ziv-Markove Algorithm (LZMA) to compress data with no data loss. We now take a look at how this legitimate technique was used by this particular malware.

Figure 1. Compressed malware

Figure 1 shows the malware in its compressed form, which allows it to evade detection. To decompress the content, we used a SWFCompression Python script.

Figure 2. The shellcode has been extracted in ASCII form

Figure 3. ASCII shellcode

After converting it to hex code, we see a URL that it most likely accesses. Unfortunately, we cannot acquire the code it is supposed to download as the URL is no longer accessible at the time of analysis.

Figure 4. Binary shellcode

Loading the code into a debugger software produces the following outcome.

Figure 5. Code execution

As you can see in Figure 5, this malware uses a different approach for executing its payload. Typically, malware is often downloaded and executed, which means a physical copy of the malware is dropped in the infected machine. This allows security solutions to detect the malware. However, this particular malware allots memory using VirtualAlloc and executes it, acting like a backdoor. Doing so makes it harder to trace the routines of the malware as there is no physically dropped file; instead the payload is copied directly into memory. This is the reason why this malware is able to evade most security solutions, even those that support ZWS compression. We urge users to regularly install security updates as soon as they are made available. These patches can mean the difference between protection and infection. For example, the vulnerability used in this attack was patched by Adobe in December 2013. Trend Micro detects all threats related to this attack.