MW-Blog

NsPack is a commercial packer sold by North Star Software. NsPack is quite a common packer used in malware, with the packing usually done with cracked and pirated versions of the software. (more…)

PE-PACK is a remnant from the old days. Released in 1998 by ANAKiN, it isn’t uncommon to stumble onto variant packed with it even today. I received a spam today that had a malware packed with PE-PACK. The malware itself was quite unrecognized by AV’s. It’s a mass-mailing worm detected either as W32.Huegone or W32/Walla, and it targets Arabic or Persion computers only. It contains some cscript and whatnot, but enough on the malware itself, let’s get back to the packer. (more…)

Exe32Pack is relatively unused packer in the malware world, but I stumble onto samples occasionally. I wrote an unpacker for it few months back and decided that I might as well give some instructions on how to do it manually. (more…)

Usually when dealing with unknow malware it’s interesting to know if there are any packers / protectors used in the malware. For a seasoned malware analyst it’s easy to spot whether any of those are present or not. But even the best analyst can’t outright say what the actual packer / protector is on every sample. There are some publicly available signature scanners, with PEiD being the most widely known.

(more…)

It’s quite common to run into malicious programs (malware) that deploy various methods to detect debuggers. It’s good to be aware what can be thrown on your face when you’re analyzing or unpacking a malware. I’ll list a few here, and some ways to circumvent them.

(more…)

I ran into an unknown protector few days ago. The main protection in it is boredom: it jumps around and around for hundreds of time, and few times in between executing junk code. It does have some anti-debug and anti-analysis tricks, but the fact that I bypassed all the protections manually in under 15 mins tells a lot of the quality. I reckon it’s been done by some poor botherder somewhere who is now being ’sooooo l337′. Main tricks in the protector were:

• Few xor decrypts
• IsDebuggerPresent calls
• CheckRemoteDebuggerPresent calls
• FindWindow calls searching for OllyDbg
• The old CreateFileA trick on \\.\NTICE
• Several timing checks using rdtsc

OllyDbg first refused to debug the file, and when I took a look at the PE header it was quite obvious why :)
The number of directory entries was set to 2B4ADD80h , instead of the normal 10. After manually fixing the headers, the file was ready to receive some gentle love and care from OllyDbg.

If you run into any interesting samples regarding packers or malwares, you can send samples in a password protected zip to samples_at_teamfurry_dot_com

——————————–

Update 11.3.2007:

The packer in question is something called AlexProtector :)

As the name hints, PolycryptPE is a polymorphic executable packer that was made by JLabSoftware, but has since been dropped from development. JLabSoftware had some heated conversations since at least the anti-virus vendor Kaspersky flagged every file packed with PolyCryptPE. Anyway, PolyCryptPE deploys some nice stuff like File locking, ApiHooking and some inlined anti-debug and anti-dump stuff.

(more…)

UPX is considered to be the easiest packer to unpack. It very popular, open source and widely used.

Before trying to unpack UPX manually, you might want to visit the official UPX site to grab their command line tool.

Try to unpack the binary by running “upx -d <file>”. If the tool cannot unpack the file, then use the following steps to do it manually.

(more…)

I’ve always thought blogging is retarded, but since that can be used to describe me too I thought I’d give it a shot :)

So, for first entry You can feast on : Under the hood in FSG

 FSG (Fast Small Good) is a packer that’s widely used to pack various malwares. It was originally created to pack assembly demos, but later on adapted to more malicious purposes. FSG it pretty easy to recognize, and even easier to unpack. (more…)