Michal Krejdl

19 February 2011

Crum is not (yet) dead, long live Morphex

Have you ever heard about the Morphex PE32 Loader? You are certainly not alone. Even the mighty "Uncle Google" can't find the proper results:

But … it definitely does exist.

Even if this is an "unknown" name, you should be concerned. Morphex PE32 Loader is supporting the most successful and fastest growing AutoRun worm of 2011.

AutoRun worms are responsible for roughly one out of every eight computer infections. They are spread when an infected USB device is plugged in, misusing the AutoRun function to start an executable file which invites a wide array of malware into the computer. Custom malware packers such as Morphex are essential to getting these initial files to the intended victims.

Even though it is only February, Morphex has already climbed to the top of the avast! Virus Lab charts. Morphex sightings – as measured by percentage increases on a daily, weekly, and monthly level – have shot up. Sightings of Crum cryptor, the previous leader, have fallen substantially in the same period.

I’ve mentioned the use of custom malware packers in one of my previous blog posts. Crum was one of them and, as mentioned, it is used to wrap AutoRun payloads. While Crum has not disappeared from the scene, it now has a strong competitor (or perhaps a successor?). Let's look at part of our continuous statistics and see how these two cryptors changed their position.

What's new in Morphex? It incorporates new tricks, in addition to several old, well-known ones such as the randomization of icons (known from Crum) and uses the topmost layer of encryption only to encapsulate the malicious binary, which is then unpacked into memory in its original state. The real innovation is in its level of anti-emulation tricks. Morphex uses callbacks bound to very obscure OpenGL objects to control/change the code flow.

The price of this new big player in the reseller market for custom cryptors is not known. We can only speculate whether it was written by “Sunzer” or not. Regardless of these uncertainties over the “Origins of the Species”, we're continuously maintaining our emulators to find (and defeat) all of the used tricks and we successfully detect Morphex in the wild.

Now, when this article is written, I expect that Google will finally show at least one proper search result :-). And last, but not least - a picture showing what we can see within Morphex under the layer of encryption:

Threat Research, Security News