Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

December 20th, 2010

Malware: It’s all in the gift-wrapping

There is a market for gift-wrapping services in cyberspace – especially for malware.

There are thousands of malware variants out in cyberspace, including the well-known Alureon, Koobface, FakeAV, and Zeus. Behind this myriad assortment is a surprisingly small group of packers with the task of slipping malware past antivirus programs. These packers can generate an almost unlimited number of unique instances of a single underlying malware binary. And what is good news for the bad guys – and rather bad news for the rest of us – is that these software packages make malware more accessible to the more “average” cybercriminal.

You don’t have to be a geek to write malicious code, but advanced skills are certainly needed to effectively hide it from antivirus engines. The current solution to this dilemma is to get a custom malware packer which is constantly being fine-tuned to avoid emulation and detection by AV engines. In this way, you don’t need to recode anything once your binary is detected and you can easily distribute your old malware in new wrapper.

The below chart shows how the market for packers adds a level of efficiency into the production and distribution of malware:

how it could work

Fortunately, not all of these generated samples can reach their intended victims. It is technically impossible and, of course, we’re doing the best to detect new variants as soon as possible.

There is a definite market for custom malware packers. And, it probably isn’t even illegal as the packer author can always say that he’s not responsible for what others do with his tool. After all, money has no smell.

The outsourced production of packers is visible when analyzing malware. Below is a selection of our “Top Four” malware packers where the author used a signature/tag – and the malware commonly associated with them.

Lighty compressor

Lighty compressor

Lighty compressor was used to wrap fake security software (rogues). Related detections are Win32:Fasec, Win32:Falder and Win32:Jifas. Other AV companies call it Alureon, Tdss, SpyGuard etc. Does some of these names sound familiar to you? This malware packer does not modify the binary, it’s a dropper and the malicious binary is encrypted and embedded in a polymorphic container. The packer was probably written in Russia and  priced to few hundred dollars. This packer is specific with a heavy usage of obscure API functions to fool code emulators.

Simba packer

Simba packer

Simba packer was also used with rogue software and we know of examples where a Simba packed binary was dropped from Lighty compressor. What a nice matryoshka. Related detection is Win32:Gaoprd. Other AV call it FakeAlert, FakeAV etc. This packer uses obscure API functions. Its source and market price are not known.

Mystic compressor

Mystic compressor

Mystic compressor is the next evolutionary step from Lighty compressor. It is quite frequently updated, a fact that implies also a wider list of related detections – Win32:MalOb-W, Win32:MalOb-X, Win32:MalOb-AE, Win32:MalOb-AF, Win32:MalOb-AL, Win32:MalOb-AT. Other antivirus programs call them Bredolab, Zbot, Zeus, FraudPack, MysticCompressor, XPAntivirus, VistaAntivirus, FakeRean, Katusha and more. If we take it together with previously mentioned Lighty compressor, the earnings (and therefore also the efficiency of custom malware packer usage) and the number of zombie machines is enormous. This packer uses more and more obscure API functions than its ancestor.

Crum cryptor

Crum cryptor

Crum cryptor is also a polymorphic dropper. It originated in Russia and only costs a few hundred dollars. It is mostly used to drop malicious AutoRuns and their payloads. Related detections are Win32:MalOb-AI, Win32:MalOb-BZ, MalOb-DW, Win32:Crumpache, Win32:Rimecud. Others call it Palevo, Koobface or Rimecud. From my observations, the Crum Cryptor is behind a third or more of recent AutoRun worm infections.

Gift-wrapping services for malware  – effective and affordable

Many different, and apparently quite successful, malware families are based on a very few custom packing programs to get them past an antivirus program and into targeted computers. Even a non-geek can buy such a program and develop professionally looking (and often undetected) malware. With this semi-legal market for malware gift-wrapping services priced to move at 600 bucks, who can stop it?

Categories: Virus Lab Tags: , , , ,
  1. December 21st, 2010 at 13:29 | #1

    I am wondering but the virus needs to unpack itself before it can load into the memory right so the Av can find out the file origin and delete it?

  2. December 21st, 2010 at 13:35 | #2

    Hi Michal,

    Nice shared, this article is very informative to others.

    cheers,
    yanto chiang

  3. December 21st, 2010 at 13:53 | #3

    @HackToHEll
    It could be too late when the virus had a chance to unpack itself.

  4. December 21st, 2010 at 17:58 | #4

    I think when it’s loaded in the memory it’s more difficult to erase it…

  5. December 22nd, 2010 at 15:15 | #5

    But avast use a generic emulator can find OEP and unpack the file in memory in a protected area,is that right?

  6. December 22nd, 2010 at 20:18 | #6

    @superhacker
    Not exactly. Finding OEP is not always possible and not always necessary. Btw: all the screenshots are from emulated samples, so yes, we can emulate them, but as I mentioned in the article – these custom packers are constantly improved to avoid emulation.

  7. December 23rd, 2010 at 03:43 | #7

    @Michal Krejdl
    oh i see thanks

  8. Bhaskar
    December 23rd, 2010 at 17:28 | #8

    Hope avast can through this virus earlier then they give any affect to ur pc,,the description is very helpful to,me…sooo thnks

  9. December 25th, 2010 at 23:37 | #9

    Michal Krejdl :
    @superhacker
    Not exactly. Finding OEP is not always possible and not always necessary. Btw: all the screenshots are from emulated samples, so yes, we can emulate them, but as I mentioned in the article – these custom packers are constantly improved to avoid emulation.

    Okay i get it keep good work in protecting us

  10. SystemTool2011
    December 27th, 2010 at 13:33 | #10

    I’ve tried both AVG free and Avast free last night and neither of them is removing System Tool 2011 virus :(

  11. December 27th, 2010 at 15:12 | #11

    @SystemTool2011
    You can post your problem in the viruses section in avast support forum
    [url]http://forum.avast.com/index.php?board=4.0[/url]

  12. user
    December 28th, 2010 at 04:18 | #12

    @Systemtool

    Try Malwarebytes at malwarebytes.org

    If that doesn’t do it, you can get free support at their forums

  13. Zeljko
    December 29th, 2010 at 21:34 | #13

    @SystemTool2011 I recommend <>. It’s the Russian type of a machine for finding and destroying anything you want.

  14. carlos ortiz
    January 6th, 2011 at 23:25 | #14

    gracias por el antivirus

  15. Tom
    January 11th, 2011 at 23:17 | #15

    Avast has flagged the following:
    c:\windows\system32\winlogon.exe is infected by win32:malware-gen

    Any help fixing this would be appreciated.
    Thx

  16. January 12th, 2011 at 19:32 | #16

    @Tom, seems like your whole system is infected. You better do a scan after booting from a bootcd!

    Or format deeply and reinstall the system. If you dont want to reinstall you need someone experienced to get your system fully clean again. Try Highjackthis and post it on some forums to gain knowledge about the virus on your system!

  17. January 14th, 2011 at 18:53 | #17

    @SystemTool2011
    Have you tried “Remove Fake Antivirus” I’ve used it a bunch of times and it’s helped me. I would solve the problem in this order. Run TFC.exe (Temp File Cleaner), Remove fake Antivirus, Malware Bytes, And if you want to really clean it out run a boot scan using Avast. That should help you real nice.

  18. January 14th, 2011 at 18:54 | #18

    @SystemTool2011
    Have you tried “Remove Fake Antivirus” I’ve used it a bunch of times and it’s helped me. I would solve the problem in this order. Run TFC.exe (Temp File Cleaner), Remove fake Antivirus, Malware Bytes, And if you want to really clean it out run a boot scan using Avast. That should help you real nice.

  19. Jorge Enrique Paz
    January 16th, 2011 at 06:54 | #19

    I have 9 files with virus Win 32 Malware-gen and I need Avast removed them as far as possible.

Comments are closed.