China Chopper Trojan Tricks Antivirus Engines


A tiny Web shell is easily sneaking past antivirus engines to infect Web servers and, despite its small footprint, researchers at FireEye say it gives attackers a wealth of tools to remotely gain access to systems or set up a more robust attack platform.

Called China Chopper, the remote access Trojan was first identified by malware experts in November and is believed to have been used by financially motivated cybercriminals and targeted attacks as part of cyberespionage activities. The tiny Trojan is only 4 KB, enabling it to slip past antivirus software, according to a team of researchers at Milpitas, Calif.-based security vendor FireEye, which released an analysis of the threat Wednesday. The researchers said the Trojan is compact, flexible and stealthy.

"China Chopper is so small and simple that you could conceivably type the contents of the shell by hand," the researchers said.

[Related: Black Hat 2013: 14 Security Firms That Piqued Hackers' Interest]

FireEye ran the Web shell through virus-scanning websites No Virus and VirusTotal and found that no antivirus engines identified the Trojan as malicious code. "Most, if not all, antivirus tools would miss the Web shell on an infected system," the researchers said.

Malware writers have been making gains in duping traditional antivirus and network security appliances. In addition to reducing the size of the malware footprint, their methods include code obfuscation and other mechanisms designed to make the malicious code appear legitimate. Security experts warned of a new banking Trojan last year called Tinba, noting the malware's 20-KB size. The Trojan slipped past antivirus software, hooking into browsers to steal login data and sniff network traffic.

Security experts said the sheer number of malware attacks targeting businesses has overwhelmed most security systems, giving China Chopper and other remote access Trojans a window of opportunity to gain access to systems and remain undetected for lengthy periods of time. Larger organizations are trying to boost the expertise of their internal incident response teams, while midsize and smaller businesses typically seek outside help when suspicious activity is suspected, said Ken Silva, senior vice president for cybersecurity strategy at ManTech International.

"By and large, companies that continue to invest in building the moat, the big tall wall, and putting defensive measures around it are coming to grips with the fact that no matter how good that is some stuff will get in and when it does they need to be prepared for that," Silva told CRN. "We won't feel the ramifications of all this intellectual property theft for five to seven years, and then it will be too late."

China Chopper appears to be gaining access to systems with the goal of stealing intellectual property, but it could also be used to steal account credentials, credit card data and do further damage, FireEye said. The Trojan contains a command and control component and a payload containing attack and victim-management features. It can conduct a scan on the infected system to detect vulnerabilities as well as enable a brute force attack against password-protected files or servers. Once inside, an attacker can upload or download files, including additional malware onto the infected system, the FireEye researchers said.

PUBLISHED AUG. 8, 2013