Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

May 11th, 2012

Deeper and deeper

Don’t worry, we’re not gonna watch movies marked with an asterisk :P . However, from the malware analyst’s point of view, following lines might be somehow “spicy”. We’ll take a look at a suspected false positive promoted as a regular GameMaster setup. The file appeared in our FP submission system with an usual comment “it’s clean” or something like that, thus we can only guess that the file has not been obtained from official source.

The submitted binary was detected as Win32:MalOb-II, but the particular infected file was not the setup itself (the topmost layer), but an included file FlashPlayer.exe (under InnoSetup {app} subfolder). So, if we want to analyse it, we must unpack the setup. FlashPlayer.exe has an icon stolen from WinRar archiver – that’s the first suspicious sign. It contains a lot of high-entropic data – another suspicious sign. This data block gets my attention – I’m curious what’s inside. And here we go: after a little bit of tracing, a dynamically allocated block of memory appears and guess what – it contains another executable binary (which is not dumped to the disc but directly executed). Great, another layer :-) . Let’s dump this binary and take a detailed look at it. It contains high-entropic (encrypted) data as well, so let’s emulate it and see what’s inside. Bingo! It’s another executable binary, this time it is dumped to disc under a randomly generated name (it’s a dll). We can compare it to a typical matryoshka, as we go deeper and deeper through the layers. For those, who didn’t catch the flow of informations: is it better with the image below?

layers and their respective detection ratios

Still nothing? Ok, sorry ;-) . For those, who are still on the track: the initial setup file has a detection coverage lower than 35%, which is frankly a bad overall result. Go deeper! The fake FlashPlayer.exe gets much better score going close to 83%. Go deeper! The binary executed directly from memory gets again a lower detection ratio (an on-demand scan of the dump). Go deeper! And the detection ratio finally raises up to 75% for the last dropped binary. More details from the particular VT scans can be found here:

https://www.virustotal.com/file/bf66869e434a91cbdbc1410ec80915e5da91e2d6a1a4829ddaae6a998cd218bd/analysis/1336729518/

https://www.virustotal.com/file/1d7c19ca92c36997fb15b7f0483079b9fe6880ce2c59a96258b23e6d4e094e73/analysis/1336742483/

https://www.virustotal.com/file/5e69427b0062302b5b7bc9e95ff1439dff61e10c77b911d075e49d9b72335582/analysis/1336742673/

https://www.virustotal.com/file/e9a96a4a5c22ac94335871778e2aee0c0f74aeb17758f35ae3d5c93635e25f69/analysis/1336743210/

As you can see, all layers of this matryoschka “smell” like Vundo, which is definitely nothing what someone wants to install along with GameMaster. Leaving the binary as it is could raise a false feeling of safety – it’s a normally looking setup from outside, but if you can look inside and aggregate the suspicious signs with detection ratios, you can definitely say: “not a FP, next please”. :-)

Pls, let me know – are such insights to our daily work interesting for you?

  1. Tech
    May 11th, 2012 at 19:16 | #1

    Well, I did not understand why when you go deeper the detection rate does not fall down… Aren’t the layers suppose to hide the infection vector? Why put a steep with more detection in between?

  2. May 11th, 2012 at 21:08 | #2

    @Tech
    Most important binary in this chain is FlashPlayer.exe and as you can see – it has the best detection score. Some AV engines are able to unpack the topmost layer (Inno setup) and detect included virus before you execute the setup. That’s an impressive approach, because you’ll get the same result if you scan the setup and if you execute it – you can give the user an early warning. Other AV engines must wait until the setup is executed and FlashPlayer.exe dropped to effectively detect/block it. Third layer is visible only in memory, thus the detection is not necessary (if you detect FlashPlayer.exe, this in-memory binary can’t play a role). On the other hand, fourth layer is physically written to disc as a library, thus it should be detected (and it really has a better score) if you want to fully clean the infection once it was executed.

  3. vadimmitropolsky
    May 12th, 2012 at 01:58 | #3

    Of course interested ^_^

  4. chechu
    May 13th, 2012 at 09:31 | #4

    thanks for the read! :D

  5. Tech
    May 13th, 2012 at 23:44 | #5

    Michal,

    Michal Krejdl :

    That’s an impressive approach, because you’ll get the same result if you scan the setup and if you execute it – you can give the user an early warning.

    It’s a relief to know that avast! could do this.

  6. seed419
    May 15th, 2012 at 17:54 | #6

    I think it’s pretty interesting.

    I’d like to hear more.

  7. techmo
    May 15th, 2012 at 19:06 | #7

    I do find this interesting as I just spent the past 4.5 months warring with the Alueron DNS Changer virus. Your explanation makes sense as this is how that virus was explained to me.

    What would help me is for you to explain how we – the non-techie can spot these to keep our systems clean. I have two boys who love to do online gaming.

  8. May 17th, 2012 at 09:42 | #8

    @techmo
    You can always use our forums and watch how experienced users fight different malware families. It could give you a guide how to increase your security or resolve some security issues. ;-)

Comments are closed.