Seeing through Smoke: analysis of the cheapest loader around

Micky Pun Fortinet

  download slides (PDF)

In the tremendously layered cybercriminal scene, 'loaders' play a central role today: they enable the pay-per-install business, a typical B2B application (or should we say C2C, as in Cybercriminal-to-Cybercriminal?). This highlights the specialization of cybercriminals: malware distribution is outsourced to the owners of loader botnets.

Should one want to start such a business, loaders can be bought on underground forums with prices usually starting at around $350. As we will see in this paper, though, a particular loader named Smoke Loader (detected as Dofoil) recently attempted to disrupt the market, being offered at half this price. Judging by the spreading activity it showed on our probes between June 2011 and January 2012, it had significant success.

We will thus dissect Smoke Loader and its evolutions, adopting both a black box (traffic analysis) and white box (code reversing) comprehensive approach. As we will see, it is not devoid of features, and is heavily modular; as such, it can be awarded the title of 'Swiss Army Knife', much like more expensive loaders. We will compare it with other loaders, highlighting its strengths and weaknesses versus its competitors.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.