Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

January 29th, 2012

Unexpected Czech footprint

I’ve already seen many strange things inside malware packers, but there’s always something surprising. The latest time, it was during the analysis of packer used to wrap Zbot, LockScreen and similar binaries (detected under various MalOb-* [Cryp] names). There’s a block of allocated memory with a long list of names. But these names are not used for anything related to malware execution, they’re not visible to the user (unless you emulate/trace the sample), they have no special purpose. But why they are there? And where’s the Czech footprint?

dump of memory block

The highlighted name – Zatopek – belongs to the famous Czech long-distance runner (wiki). It’s somehow mysterious (at least for me) how and why he made it on the list. This list is different from sample to sample and Zatopek doesn’t seem to appear in all of them. Does anyone of you, readers, know something that can put all the names from the list to some sort of relation? And which name from the list is interesting for you and why? :-)

  • Martijn Grooten

    I found “Face/Self-Sacrifice” the most interesting.

    Google has this result

    Note that ‘Samurai’ occurs just before it in the list.

    Perhaps it’s film/IMDB relate?

    PS asking me to register/log in and then asking me to solve a CAPTCHA when leaving me a comment seems a bit much…

  • Tonyp32810

    It might just be me, But why are some of the names highlighted in blue?

  • roger_m

    There is no relationship between the names. They are taken from a dictionary which appears a few times on the net, take the following two links as an example:

    hxxp:// Files/movie-characters.txt

    hxxp:// Characters.txt?r=4&spec=svn6

    If you do this search in Google:,or.r_gc.r_pw.,cf.osb&fp=8b4d6bc0e1cf18b&biw=1680&bih=955

    You will hundres of results, many of which lead to a scam dieting sites, which use the dictionary content to to increase search rankings, but don’t display any of its content on their webpages.

  • moltenmetalman

    The word MEET stands out.It is the only word capitalized.I also see military ref.Zatopek being highlighted could could be a decoder or something to through you off. Whistling whistler shows several times.Also look on left and right of mess. lowercase stand out on the left upper on the right.I think this is a crypted message sent to some one in a manner to make it hard to find the receiver.sorry no printer and in to much pain from back surgery to wright it all down and decode.

  • philipsinbox

    The BBC attempt to teach computer illiterates about online banking and the threats. Not bad considering it is the BBC they are normally years behind the times.

  • peje39
  • DcyMatrix

    My guess would be that since the list is not the same from sample to sample.
    It might be an attempt to mask the ‘foot print’ of the malware being packed. Not so much as to throw off a human but maybe an attempt at making the malware not easy picked up by technologies like CommunityIQ, various other cloud solutions that uses automated detection of possible malware.
    Thats my guess anyway, but I am not a programmer =)