So if I read this correctly, the idea is that the PNG fetch looks innocuous to traffic scanners but the fetcher code executes the included DLL? The PNG rendering code in the browser would just discard those bits.
The article is not clear on the actual execution step. It is written by Cisco, after all, suggesting that the article is concerned mostly with how the worm spreads itself (with more focus on the command-and-control and networking).
It's possible that it only spreads when it is saved locally and "opened" by the user in an application. It's also possible that it's executed in the browser upon open and/or render.
Since the worm/payload is a DLL and the user-agent making the download requests is Trident, I'm guessing it's a problem with the Windows + IE code, which is likely shared, that renders PNG images.
What I gathered is that this is just a way for malware to fetch additional instructions after already being executed through some unrelated process.
In other words, you've already been compromised, but the malignant code needs more instructions to continue effectively, so it fetches what appears to be an innocuous PNG file, which carries the instructions it needs.
Important: This is not like the old PDF exploits where the code would run when the file was viewed. This is instead a form of obfuscation where the compromised DLL has been concatenated with a valid PNG file. PNG readers will simply display the file normally; they are oblivious to the DLL code. The Graftor trojan, if it is already in your system, will try to download the PNG and, if antivirus/network filtering does not stop it from a successful download, will use the DLL that came bundled with the PNG.
5 comments
[ 2.5 ms ] story [ 20.6 ms ] threadIn other words, you've already been compromised, but the malignant code needs more instructions to continue effectively, so it fetches what appears to be an innocuous PNG file, which carries the instructions it needs.