{"id":36669,"date":"2014-07-14T23:58:15","date_gmt":"2014-07-15T06:58:15","guid":{"rendered":"https:\/\/blogs.mcafee.com\/?p=36669"},"modified":"2025-05-29T03:41:31","modified_gmt":"2025-05-29T10:41:31","slug":"dofoil-downloader-update-adds-xor-rc4-based-encryption","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/dofoil-downloader-update-adds-xor-rc4-based-encryption\/","title":{"rendered":"Dofoil Downloader Update Adds XOR-, RC4-Based Encryption"},"content":{"rendered":"<p><em>This blog was written by Sanchit Karve.<\/em><\/p>\n<p>The Dofoil downloader (found in the wild since 2011) occasionally updates itself with new features and encryption techniques to hide communications with its control servers. The latest iteration uses a variation of XOR and RC4 algorithms similar to previous variants to encrypt the list of control servers within the binary and encrypt all traffic with the server.<\/p>\n<h2>Anti-analysis Tricks<\/h2>\n<p>The Dofoil sample we analyzed (D8AB2694A8AAA0FA729AC0FCC93767A2) contained many antianalysis tricks common to previous versions:<\/p>\n<ul>\n<li>Code obfuscation<\/li>\n<li>Self-modifying code<\/li>\n<li>Sleep for an infinite time if sample is named sample.exe<\/li>\n<li>Sleep for an infinite time if volume serial number of C:\\ is 0xCD1A40 (anti-ThreatExpert) or 0x70144646 (unknown)<\/li>\n<li>CPU-specific checks<\/li>\n<li>Virtual machine presence based on an entry in HKLM\\System\\CurrentControlSet\\Services\\Disk\\Enum<\/li>\n<li>Presence of sandboxing, etc.<\/li>\n<li>BeingDebugged and NTGlobalFlags checks in the process environment block<\/li>\n<\/ul>\n<p>As in previous versions, a GET request to msn.com is made to confirm an active Internet connection on an infected machine.<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil13.png\"><img loading=\"lazy\" decoding=\"async\" title=\"skarve_dofoil1\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil1_thumb.png\" alt=\"skarve_dofoil1\" width=\"623\" height=\"74\" \/><\/a><\/p>\n<p>After the confirmation, the sample proceeds to decrypt the location of its control servers, which are encrypted and stored in a lookup table.<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil22.png\"><img loading=\"lazy\" decoding=\"async\" title=\"skarve_dofoil2\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil2_thumb.png\" alt=\"skarve_dofoil2\" width=\"348\" height=\"59\" \/><\/a><\/p>\n<p>The encrypted strings for the control server domain names are visible in high-entropy areas:<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil32.png\"><img loading=\"lazy\" decoding=\"async\" title=\"skarve_dofoil3\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil3_thumb.png\" alt=\"skarve_dofoil3\" width=\"599\" height=\"308\" \/><\/a><\/p>\n<p>To decrypt, the samples use an XOR-based encryption scheme. The encrypted data conforms to the following format:<\/p>\n<p>&nbsp;<\/p>\n<table border=\"1\" width=\"294\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td valign=\"top\" width=\"65\"><b>SIZE<\/b><\/td>\n<td valign=\"top\" width=\"133\"><b>\u00a0 NAME<\/b><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"65\">BYTE<\/td>\n<td valign=\"top\" width=\"133\">\u00a0 xor_key<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"65\">DWORD<\/td>\n<td valign=\"top\" width=\"133\">\u00a0 size_of_encrypted_data<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"65\">size_of_encrypted_data<\/td>\n<td valign=\"top\" width=\"133\">\u00a0 encrypted_data<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>One decrypted byte is represented with two encrypted bytes in this scheme. Two bytes are read from the encrypted data and individually XORed with the one-byte key. The difference between the two values yields the decrypted byte. The size_of_encrypted_data field is a bit misleading because it contains an intentionally large value that the sample corrects during its decryption. When decrypted, the control servers are visible:<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/wp-content\/skarve_dofoil42.png\"> alt=&#8221;skarve_dofoil4&#8243; width=&#8221;539&#8243; height=&#8221;152&#8243; \/&gt;<\/a><\/p>\n<p>The sample we examined contains three control servers: hxxp:\/\/zoneserveryu(788|789|790)[dot]com<\/p>\n<p>All communications with a server take place over HTTP POST requests; the commands are encrypted with an RC4-based algorithm. Unlike previous variants, in which the MD5 of the infected computer along with the volume serial number of C:\\ was passed as the login parameter, the new variant uses a 160-bit hash composed of five components. For example, for the following command string, the login field translates to five DWORDs:<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil52.png\"><img loading=\"lazy\" decoding=\"async\" title=\"skarve_dofoil5\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil5_thumb.png\" alt=\"skarve_dofoil5\" width=\"617\" height=\"22\" \/><\/a><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td valign=\"top\" width=\"199\">CRC32 (username) XOR (address of \u201c&amp;hash=\u201d stored in memory)<\/td>\n<td valign=\"top\" width=\"126\">CRC32 of computer username<\/td>\n<td valign=\"top\" width=\"148\">CRC32 (username) XOR CRC32 (volume serial)<\/td>\n<td valign=\"top\" width=\"158\">CRC32 (volume serial) XOR (address of \u201c&amp;hash=\u201d stored in memory)<\/td>\n<td valign=\"top\" width=\"72\">Volume serial number of C:\\<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>It\u2019s unclear why the malware authors introduced redundancy in the hash. The command is encrypted, prefixed with its size and four-byte encryption key, and sent to the server like so:<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil62.png\"><img loading=\"lazy\" decoding=\"async\" title=\"skarve_dofoil6\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil6_thumb.png\" alt=\"skarve_dofoil6\" width=\"401\" height=\"275\" \/><\/a><\/p>\n<p>When the command is decrypted with the following algorithm, we can see the original command:<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil72.png\"><img loading=\"lazy\" decoding=\"async\" title=\"skarve_dofoil7\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil7_thumb.png\" alt=\"skarve_dofoil7\" width=\"637\" height=\"242\" \/><\/a><\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil82.png\"><img loading=\"lazy\" decoding=\"async\" title=\"skarve_dofoil8\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil8_thumb.png\" alt=\"skarve_dofoil8\" width=\"588\" height=\"246\" \/><\/a><\/p>\n<p>The initial request gets a 404\/not found response with an encoded body from the control server.<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil10.png\"><img loading=\"lazy\" decoding=\"async\" title=\"skarve_dofoil10\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil10_thumb.png\" alt=\"skarve_dofoil10\" width=\"541\" height=\"617\" \/><\/a><\/p>\n<p>The body consists of encoded commands from the server along with a plug-in file (executable DLL) encrypted with the same algorithm listed above except that it uses a 13-byte key. It decrypts to:<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil111.png\"><img loading=\"lazy\" decoding=\"async\" title=\"skarve_dofoil11\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil11_thumb.png\" alt=\"skarve_dofoil11\" width=\"591\" height=\"819\" \/><\/a><\/p>\n<p>The plug-in file usually has an exported function \u201cWork\u201d and could contain functionality for additional commands and features.<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil121.png\"><img loading=\"lazy\" decoding=\"async\" title=\"skarve_dofoil12\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil12_thumb.png\" alt=\"skarve_dofoil12\" width=\"600\" height=\"439\" \/><\/a><\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil131.png\"><img loading=\"lazy\" decoding=\"async\" title=\"skarve_dofoil13\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil13_thumb.png\" alt=\"skarve_dofoil13\" width=\"627\" height=\"466\" \/><\/a><\/p>\n<p>When the sample wishes to download additional malware, it passes a file number using the file parameter:<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil92.png\"><img loading=\"lazy\" decoding=\"async\" title=\"skarve_dofoil9\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil9_thumb1.png\" alt=\"skarve_dofoil9\" width=\"580\" height=\"188\" \/><\/a><\/p>\n<p>The server responds with a 404 response but passes on new malware in the content of the response. It also passes its own command in the \u201cVary\u201d header.<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoila3.png\"><img loading=\"lazy\" decoding=\"async\" title=\"skarve_dofoila\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoila_thumb1.png\" alt=\"skarve_dofoila\" width=\"473\" height=\"281\" \/><\/a><\/p>\n<p>The sample is equipped to handle four commands: to write downloaded files to disk and execute them, remove itself, silently register DLLs, and inject content directly into memory.<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoilb2.png\"><img loading=\"lazy\" decoding=\"async\" title=\"skarve_dofoilb\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoilb_thumb.png\" alt=\"skarve_dofoilb\" width=\"296\" height=\"489\" \/><\/a><\/p>\n<p>The sample returns the result of its command to the server. For example, if the server responds with \u201c0-AAAAAA,\u201d the sample writes the downloaded sample to disk (in %APPDATA% or %TEMP%) and executes it. If it succeeds, it responds with the run=ok command. If the sample fails to execute, it sends run=fail.<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoilc3.png\"><img loading=\"lazy\" decoding=\"async\" title=\"skarve_dofoilc\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoilc_thumb.png\" alt=\"skarve_dofoilc\" width=\"589\" height=\"155\" \/><\/a><\/p>\n<p>Eventually, the sample downloads password stealers and spam bots, which send spam claiming to be from Amazon.com, and embeds an attachment containing the original sample to spread itself:<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoild2.png\"><img loading=\"lazy\" decoding=\"async\" title=\"skarve_dofoild\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoild_thumb.png\" alt=\"skarve_dofoild\" width=\"624\" height=\"192\" \/><\/a><\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoile2.png\"><img loading=\"lazy\" decoding=\"async\" title=\"skarve_dofoile\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoile_thumb.png\" alt=\"skarve_dofoile\" width=\"750\" height=\"771\" \/><\/a><\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoilf2.png\"><img loading=\"lazy\" decoding=\"async\" title=\"skarve_dofoilf\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoilf_thumb1.png\" alt=\"skarve_dofoilf\" width=\"624\" height=\"318\" \/><\/a><\/p>\n<p>McAfee customers are protected from this threat by Downloader-FAFW and other signatures.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This blog was written by Sanchit Karve. The Dofoil downloader (found in the wild since 2011) occasionally updates itself with&#8230;<\/p>\n","protected":false},"author":695,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1814,338,180],"coauthors":[4136],"class_list":["post-36669","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-computer-security","tag-endpoint-protection","tag-malware"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Dofoil Downloader Update Adds XOR-, RC4-Based Encryption | McAfee Blog<\/title>\n<meta name=\"description\" content=\"This blog was written by Sanchit Karve. The Dofoil downloader (found in the wild since 2011) occasionally updates itself with new features and encryption\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Dofoil Downloader Update Adds XOR-, RC4-Based Encryption | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"This blog was written by Sanchit Karve. The Dofoil downloader (found in the wild since 2011) occasionally updates itself with new features and encryption\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/dofoil-downloader-update-adds-xor-rc4-based-encryption\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2014-07-15T06:58:15+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-29T10:41:31+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil1_thumb.png\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/dofoil-downloader-update-adds-xor-rc4-based-encryption\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/dofoil-downloader-update-adds-xor-rc4-based-encryption\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"Dofoil Downloader Update Adds XOR-, RC4-Based Encryption\",\"datePublished\":\"2014-07-15T06:58:15+00:00\",\"dateModified\":\"2025-05-29T10:41:31+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/dofoil-downloader-update-adds-xor-rc4-based-encryption\/\"},\"wordCount\":721,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/dofoil-downloader-update-adds-xor-rc4-based-encryption\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil1_thumb.png\",\"keywords\":[\"computer security\",\"endpoint protection\",\"malware\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/dofoil-downloader-update-adds-xor-rc4-based-encryption\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/dofoil-downloader-update-adds-xor-rc4-based-encryption\/\",\"name\":\"Dofoil Downloader Update Adds XOR-, RC4-Based Encryption | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/dofoil-downloader-update-adds-xor-rc4-based-encryption\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/dofoil-downloader-update-adds-xor-rc4-based-encryption\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil1_thumb.png\",\"datePublished\":\"2014-07-15T06:58:15+00:00\",\"dateModified\":\"2025-05-29T10:41:31+00:00\",\"description\":\"This blog was written by Sanchit Karve. The Dofoil downloader (found in the wild since 2011) occasionally updates itself with new features and encryption\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/dofoil-downloader-update-adds-xor-rc4-based-encryption\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/dofoil-downloader-update-adds-xor-rc4-based-encryption\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/dofoil-downloader-update-adds-xor-rc4-based-encryption\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil1_thumb.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil1_thumb.png\",\"width\":623,\"height\":74},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/dofoil-downloader-update-adds-xor-rc4-based-encryption\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Dofoil Downloader Update Adds XOR-, RC4-Based Encryption\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Dofoil Downloader Update Adds XOR-, RC4-Based Encryption | McAfee Blog","description":"This blog was written by Sanchit Karve. The Dofoil downloader (found in the wild since 2011) occasionally updates itself with new features and encryption","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Dofoil Downloader Update Adds XOR-, RC4-Based Encryption | McAfee Blog","og_description":"This blog was written by Sanchit Karve. The Dofoil downloader (found in the wild since 2011) occasionally updates itself with new features and encryption","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/dofoil-downloader-update-adds-xor-rc4-based-encryption\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2014-07-15T06:58:15+00:00","article_modified_time":"2025-05-29T10:41:31+00:00","og_image":[{"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil1_thumb.png","type":"","width":"","height":""}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/dofoil-downloader-update-adds-xor-rc4-based-encryption\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/dofoil-downloader-update-adds-xor-rc4-based-encryption\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"Dofoil Downloader Update Adds XOR-, RC4-Based Encryption","datePublished":"2014-07-15T06:58:15+00:00","dateModified":"2025-05-29T10:41:31+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/dofoil-downloader-update-adds-xor-rc4-based-encryption\/"},"wordCount":721,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/dofoil-downloader-update-adds-xor-rc4-based-encryption\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil1_thumb.png","keywords":["computer security","endpoint protection","malware"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/dofoil-downloader-update-adds-xor-rc4-based-encryption\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/dofoil-downloader-update-adds-xor-rc4-based-encryption\/","name":"Dofoil Downloader Update Adds XOR-, RC4-Based Encryption | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/dofoil-downloader-update-adds-xor-rc4-based-encryption\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/dofoil-downloader-update-adds-xor-rc4-based-encryption\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil1_thumb.png","datePublished":"2014-07-15T06:58:15+00:00","dateModified":"2025-05-29T10:41:31+00:00","description":"This blog was written by Sanchit Karve. The Dofoil downloader (found in the wild since 2011) occasionally updates itself with new features and encryption","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/dofoil-downloader-update-adds-xor-rc4-based-encryption\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/dofoil-downloader-update-adds-xor-rc4-based-encryption\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/dofoil-downloader-update-adds-xor-rc4-based-encryption\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil1_thumb.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/skarve_dofoil1_thumb.png","width":623,"height":74},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/dofoil-downloader-update-adds-xor-rc4-based-encryption\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Dofoil Downloader Update Adds XOR-, RC4-Based Encryption"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/36669","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=36669"}],"version-history":[{"count":6,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/36669\/revisions"}],"predecessor-version":[{"id":214722,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/36669\/revisions\/214722"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=36669"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=36669"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=36669"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=36669"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}