Malware Tricks I

2009, Dec 02    

Today, while analyzing a family of malwares (the familiy called by some vendors as “Krap”) I noticed a good and new, at least for me, antiemulation technique. What do you think this sample code does?

some_func:
  1.   ; Do stuff…
  2.  
  3. start:
  4.    push offset some_func
  5.    jmp edx

What is this? We’re pushing the address of the function some_func in the stack and, after this, jumping unconditionally to the address contained at EDX. The question here is: What value has the EDX register before executing your first line of assembly code? You have the address of ntdll!KiFastSystemCallRet:

So, basically, we’re jumping to a return only function (see a detailed description of KiFastSystemCallRet) efectively returning into the “some_func” function. The emulators I tested, as in example, the Bochs Debugger module that comes with IDA Pro, initialize all the registers to 0: a cool trick! And the first time I see this.

The tricks I typically find in malware are undocumented (or non typical) API calls mixed with junk code, as the following example extracted from a Mebroot downloader:

  1. 000013a7 PUSH 0x74327ebc
  2. 000013ac CALL KERNEL32.dll!WriteFile
  3. 000013b2 TEST EAX, EAX
  4. 000013b4 JZ 0x000013bb      ; 1
  5. 000013b6 JMP 0x0000108e     ; 2
  6. 000013bb PUSH 0x0
  7. 000013bd CALL KERNEL32.dll!DisconnectNamedPipe

Junk code using APIs relatively commons:

  1. 00001c1f PUSH 0x0
  2. 00001c21 PUSH 0x0
  3. 00001c23 CALL SHLWAPI.dll!SHDeleteKeyA
  4. 00001c29 PUSH 0x100
  5. 00001c2e CALL msvcrt.dll!malloc
  6. 00001c34 ADD ESP, 0x4
  7. 00001c37 PUSH EAX
  8. 00001c38 CALL msvcrt.dll!free
  9. 00001c3e ADD ESP, 0x4
  10. 00001c41 PUSH 0x0
  11. 00001c43 CALL WINMM.dll!timeKillEvent
  12. 00001c49 PUSH 0x10005129
  13. 00001c4e LEA EAX, [EBP-0x20]
  14. 00001c51 PUSH EAX
  15. 00001c52 CALL USER32.dll!wsprintfA
  16. 00001c58 ADD ESP, 0x8
  17. 00001c5b PUSH 0x0
  18. 00001c5d CALL ADVAPI32.dll!RegCloseKey
  19. 00001c63 CALL ole32.dll!OleUninitialize

Very simple API calls not commonly emulated (extracted from the dropper of the rootkit TDSS):

  1. 00000813 XOR ESI, ESI
  2. 00000815 PUSH ESI
  3. 00000816 MOV EAX, [0x40600c]        ; kernel32.dll!GetModuleHandleA
  4. 0000081d CALL EAX
  5. 0000081f (PUSH 0x74
  6. 00000821 MOV EAX, [0x406080]        ; msvcrt.dll!iscntrl
  7. 00000827 CALL EAX
  8. 00000829 POP ECX
  9. 0000082a TEST EAX, EAX
  10. 0000082c JNZ 0x000008ad     ; 1
  11. 00000832 PUSH 0x6d
  12. 00000834 PUSH 0x68
  13. 00000836 MOV EAX, [0x40607c]        ; msvcrt.dll!is_wctype
  14. 0000083d CALL EAX

Or strange x86 assembly instructions like multibyte NOPs with redundant prefixes and so on (found in some variants of Sality):

  1. f30f1f90909090. rep nop [eax+0x66909090]

I know it’s just one antiemulation trick and there are thousands of them but this trick is new (at least for me), special and cool!