LokiBot trojan found hidden in .PNG files

Walden Systems Geeks Corner LokiBot trojan found hidden in .PNG files news Rutherford NJ New Jersey NYC New York North Bergen County
Rita gives you full control of what sites your employees visit. Rita can block sites that eat up your precious bandwidth such as media streaming sites. Rita enables you full control of what sites your employees can and cannot visit. Rita gives you the ability to block undesirable sites by wildcard or by name. Rita gives you the ability to determine which computers will be blocked and which will be allowed. With Rita, you can block access to sensitive servers within your LAN.

a .PNG file that can slip past some email security gateways. According to Trustwave SpiderLabs, the .PNG/LokiBot messages delivering the trojan have been limited. LokiBot is a trojan designed to covertly steal information from compromised endpoints. The malware is known for being simple and effective. The malware is sold for as little as $300 in underground markets.

Researchers said the spam message delivering the payload LokiBot has three distinct characteristics. First, the attachment used in the spam campaign has a .zipx extension, meaning it is a compressed archive. These types of compressed files are known for containing malware and are flagged by email security gateways as dangerous. In an attempt to avoid detection, hackers behind the malspam tricks email security gateway scanners by obfuscating the archive, using the file signature of .PNG, a portable network graphics format. Hackers use the .PNG file structure, complete with a .PNG header and IEND. When the malicious file is scanned it is identified as a .PNG image, even though it has a .zipx extension. The actual archive code is appended to the end of the .PNG file signature. In a PNG file, IEND is supposed to mark the end of the image, and is supposed to appear last. But in this file there is a bunch of data after IEND. he PNG format specification appears to allow for such extraneous data, it is up to the application to decide to try and interpret or ignore such data. The malicious attachment can be displayed in an image viewer as a .PNG image of a .JPG icon.


To get infected a victim must first click on the message attachment. Doing so may, or may not, launch the right archive decompressor application depending on client side applications installed on the computers. According to researchers, the WinRAR utility is one of the only file decompressing utilities that reliably open and decompress this .zipx archive. Other utilities, such as 7-Zip and WinZip, fail to open the specific file most likely because of the extraneous data packed inside the file signature. After the 500 KB .zipx archive is extracted by WinRAR to a 13.5 MB file, the user must double-click the unpacked RFQ -5600005870.exe file to get infected.

The Lokibot command-and-control tools are written in PHP and almost always uses the file name “fre.php." Fre.php could be blocked at the gateway. The malspam samples may or may not be blocked by the email gateway as either spam or potentially malicious. But I can’t speak for other gateways. Because it is hidden in a real PNG file, it may not be recognized as a Zip archive, and therefore gateways may simply ignore it.