Micky Pun Fortinet
download slides (PDF)
In the tremendously layered cybercriminal scene, 'loaders' play a central role today: they enable the pay-per-install business, a typical B2B application (or should we say C2C, as in Cybercriminal-to-Cybercriminal?). This highlights the specialization of cybercriminals: malware distribution is outsourced to the owners of loader botnets.
Should one want to start such a business, loaders can be bought on underground forums with prices usually starting at around $350. As we will see in this paper, though, a particular loader named Smoke Loader (detected as Dofoil) recently attempted to disrupt the market, being offered at half this price. Judging by the spreading activity it showed on our probes between June 2011 and January 2012, it had significant success.
We will thus dissect Smoke Loader and its evolutions, adopting both a black box (traffic analysis) and white box (code reversing) comprehensive approach. As we will see, it is not devoid of features, and is heavily modular; as such, it can be awarded the title of 'Swiss Army Knife', much like more expensive loaders. We will compare it with other loaders, highlighting its strengths and weaknesses versus its competitors.
