VIRUS BULLETIN www.virusbtn.com
1
AUGUST 2014
Covering the
global threat landscape
ICOSCRIPT: USING WEBMAIL TO
CONTROL MALWARE
Paul Rascagnères
G Data, Germany
Recently, we identified a piece of malware that had gone
undetected since 2012. We named the...
More
VIRUS BULLETIN www.virusbtn.com
1
AUGUST 2014
Covering the
global threat landscape
ICOSCRIPT: USING WEBMAIL TO
CONTROL MALWARE
Paul Rascagnères
G Data, Germany
Recently, we identified a piece of malware that had gone
undetected since 2012. We named the malware
Win32.Trojan.IcoScript.A. This sample is a classic remote
administration tool (RAT) but it has a particular way of
communicating with its control server. It is very modular and
it abuses popular web platforms (like Yahoo and Gmail) for
command and control communication. This article presents
the techniques used by this malware. In addition, we can
envisage future techniques that will make the lives of incident
response teams harder.
HIDDEN COM-MUNICATION
Component Object Model technology (COM)
Microsoft Windows provides an interface for inter-process
communication. It allows developers to control the objects
of other applications. This technology, called COM, can be
used to control Internet Explorer. It’s very useful for malware
d
Less