Warning over anti-virus evading 'polymorphic' Emotet banking Trojan

Online bankers warned that Emotet can evade detection by three-quarters of anti-virus software packages

Usrs have been warned about a newly discovered 'polymorphic' banking Trojan can evade detection by anti-virus software.

The Emotet Trojan evaded detection in tests of 50 out of 66 anti-virus security products, according to researchers at security company Bromium.

The banking Trojan is capable of evading capture and appearing in phishing emails in inboxes, even with a virus scanning facility activated.

Matt Rowen, a software engineer at Bromium, suggests that this indicates that hackers are getting more creative - and devious.

"Historically, malware writers simply change the packaging or wrapper when they distribute malware.

"For instance, it might be a PDF or Word document, but the dropped malicious file inside could be weeks old and, as such, known to AV. Now we see the secondary executable is changing as well, so the malware is not recognized by AV.

"Worryingly, this shows that malware writers are really improving the standard of their engineering - that spells trouble for AV vendors, who will be forced into a whack-a-mole situation they can never win."

Fraser Kyne, chief technology officer for Bromium EMEA, warns that having perfected this technique, the hackers could inspire copycats, which could, in turn, lead to implementations in other places, such as ransomware and cryptolockers.

Kyne argues that virtualisation is the best form of defence because it stops nasties getting through to the host machine. However, the people most likely to fall for a phishing email are the least likely to be running a VM instance (or to even know what one is).

The company examined the Trojan in detail earlier this month.

"Malware authors are rapidly rewrapping their packed executables and the documents used to distribute them," the company wrote in a blog posting.

It continued: "Based on feedback and further monitoring, we investigated the polymorphic dropped executables in more detail. The results are quite interesting; the samples don't just feature trivial changes or the addition of random data.

"Rather, the sample appears like completely different software in many aspects. This allows the samples to avoid signature-based anti-virus as well as package detection and static analysis.