ProcessGuard and droppers

WHY use Execution Protection ? ProcessGuard has this feature and it works very well with droppers. As seen in the screenshot, this file cannot be just unpacked with WinZip or WinRAR - always the first thing to check before running a possible installer !

As you can also see, I have extracted the files during analysis - there are 3 files in a new folder also shown. This trojan is detected by TrojanHunter as TrojanClicker.Small.115

So whats this got to do with ProcessGuard ? Everything ! I safely extracted these files without any of them running, all in the comfort that ProcessGuard gives - programs cannot run without you allowing them to. I simply:

a) Ran the installer, it immediately tried to launch a new file.
b) ProcessGuard showed it was in the TEMP folder, so I went there and renamed the 3 files there - you see in the DROPPED folder above

c) Then just press DENY and the program exited, as if nothing had ever happened. It tried to delete temporary files of course, which I had renamed to save them.

On with the trojans analysis ! The attacker tried to use an installer to bypass AV detection - and it will work for some scanners. KAV nailed it by knowing the installer and unpacking it.. but thats a story for other dropper articles :)

Note - this type of thing is done in a VIRTUAL machine, just in case. A dropper could use file infection (viral) or run other nasty code before executing the payload (although I knew this installer didn't). The only option used was to drop and execute files.