Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

February 19th, 2011

Crum is not (yet) dead, long live Morphex

Have you ever heard about the Morphex PE32 Loader? You are certainly not alone. Even the mighty “Uncle Google” can’t find the proper results:

all quiet on the Google front

But … it definitely does exist.

Even if this is an “unknown” name, you should be concerned. Morphex PE32 Loader is supporting the most successful and fastest growing AutoRun worm of 2011.

AutoRun worms are responsible for roughly one out of every eight computer infections. They are spread when an infected USB device is plugged in, misusing the AutoRun function to start an executable file which invites a wide array of malware into the computer. Custom malware packers such as Morphex are essential to getting these initial files to the intended victims.

Even though it is only February, Morphex has already climbed to the top of the avast! Virus Lab charts. Morphex sightings – as measured by percentage increases on a daily, weekly, and monthly level – have shot up. Sightings of Crum cryptor, the previous leader, have fallen substantially in the same period.

I’ve mentioned the use of custom malware packers in one of my previous blog posts. Crum was one of them and, as mentioned, it is used to wrap AutoRun payloads. While Crum has not disappeared from the scene, it now has a strong competitor (or perhaps a successor?). Let’s look at part of our continuous statistics and see how these two cryptors changed their position.

before the rise of Morphex

and after

What’s new in Morphex? It incorporates new tricks, in addition to several old, well-known ones such as the randomization of icons (known from Crum) and uses the topmost layer of encryption only to encapsulate the malicious binary, which is then unpacked into memory in its original state. The real innovation is in its level of anti-emulation tricks. Morphex uses callbacks bound to very obscure OpenGL objects to control/change the code flow.

The price of this new big player in the reseller market for custom cryptors is not known. We can only speculate whether it was written by “Sunzer” or not. Regardless of these uncertainties over the “Origins of the Species”, we’re continuously maintaining our emulators to find (and defeat) all of the used tricks and we successfully detect Morphex in the wild.

Now, when this article is written, I expect that Google will finally show at least one proper search result :-). And last, but not least – a picture showing what we can see within Morphex under the layer of encryption:

Morphex inside :-)

Categories: Virus Lab Tags: , , ,
  • Pingback: Tweets that mention avast! blog » Crum is not (yet) dead, long live Morphex --

  • 赵飞鹏


  • Aethec

    Ugh. Why do some people have to disable automatic updates?
    The anti-AutoRun patch was released recently…the fact it is in the first position of your charts means some people have an AV, yet think automatic updates are not necessary.
    I know I shouldn’t say that, but those people deserve to get infected at least once…

  • Pingback: La Mare du Gof » Blog Archive » Actus Sécurité Confirmés 2011 S07

  • Andy

    Avast flagged several fake AVs as Morphex, seems autoruns are not the only ones using morphex

  • Jason Mashak

    Your last sentence, Aethec, has some validity. It goes for anything, really. People who have been in an auto accident are far more worried about them in the future. Until you’ve had a virus do damage to your machine, the word ‘virus’ is just an abstract term, similar to ‘terror’ (what is ‘terror’ until one feels it?).

    Perhaps what is needed is a malware simulator, to let people see firsthand all the things a virus can do…?

  • HackTohELl

    Google has proably filtered them out , ask someone in an hacking IRC and they would say !.
    Must try

  • HackTohELl