Michal Krejdl

29 January 2012

Unexpected Czech footprint

I've already seen many strange things inside malware packers, but there's always something surprising. The latest time, it was during the analysis of packer used to wrap Zbot, LockScreen and similar binaries (detected under various MalOb-* [Cryp] names). There's a block of allocated memory with a long list of names. But these names are not used for anything related to malware execution, they're not visible to the user (unless you emulate/trace the sample), they have no special purpose. But why they are there? And where's the Czech footprint?

The highlighted name - Zatopek - belongs to the famous Czech long-distance runner (wiki). It's somehow mysterious (at least for me) how and why he made it on the list. This list is different from sample to sample and Zatopek doesn't seem to appear in all of them. Does anyone of you, readers, know something that can put all the names from the list to some sort of relation? And which name from the list is interesting for you and why? :-)

Threat Research, Security News