Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

Archive

Posts Tagged ‘emulator’
January 29th, 2012

Unexpected Czech footprint

I’ve already seen many strange things inside malware packers, but there’s always something surprising. The latest time, it was during the analysis of packer used to wrap Zbot, LockScreen and similar binaries (detected under various MalOb-* [Cryp] names). There’s a block of allocated memory with a long list of names. But these names are not used for anything related to malware execution, they’re not visible to the user (unless you emulate/trace the sample), they have no special purpose. But why they are there? And where’s the Czech footprint?

Read more…

June 16th, 2011

Win32:SuspBehav strikes again

I’m glad to announce that Win32:SuspBehav – an advanced heuristic set of detections -  is back on track now. It has been in a maintenance mode quite a while because there were some scheduled changes made to the underlying emulator. Following these changes, I was really curious about what the real-world feedback would be and this is what I found:

few of the SuspBehav submissions

Wait! There’s a path to the legitimate IncrediMail installation directory. Hmmm, it is either a false positive or something really strange is going on here…..

Read more…

February 19th, 2011

Crum is not (yet) dead, long live Morphex

Have you ever heard about the Morphex PE32 Loader? You are certainly not alone. Even the mighty “Uncle Google” can’t find the proper results:

all quiet on the Google front

But … it definitely does exist.

Even if this is an “unknown” name, you should be concerned. Morphex PE32 Loader is supporting the most successful and fastest growing AutoRun worm of 2011.

Read more…

Categories: Virus Lab Tags: , , ,
June 16th, 2010

How I met the optimization and other stories

Hello again, I’m gonna tell you a story about an emulator that becomes 5x faster during one day. In the beginning there was an disassembler and a virtual execution environment. The disassembler liked the environment so much that they got together one day and the framework for our emulator was born. It was growing day by day, line by line – up to 20k+ lines of code – and here the “problem” begins.

Read more…