I’ve already seen many strange things inside malware packers, but there’s always something surprising. The latest time, it was during the analysis of packer used to wrap Zbot, LockScreen and similar binaries (detected under various MalOb-* [Cryp] names). There’s a block of allocated memory with a long list of names. But these names are not used for anything related to malware execution, they’re not visible to the user (unless you emulate/trace the sample), they have no special purpose. But why they are there? And where’s the Czech footprint?
I’m glad to announce that Win32:SuspBehav – an advanced heuristic set of detections - is back on track now. It has been in a maintenance mode quite a while because there were some scheduled changes made to the underlying emulator. Following these changes, I was really curious about what the real-world feedback would be and this is what I found:
Wait! There’s a path to the legitimate IncrediMail installation directory. Hmmm, it is either a false positive or something really strange is going on here…..
Have you ever heard about the Morphex PE32 Loader? You are certainly not alone. Even the mighty “Uncle Google” can’t find the proper results:
But … it definitely does exist.
Even if this is an “unknown” name, you should be concerned. Morphex PE32 Loader is supporting the most successful and fastest growing AutoRun worm of 2011.
Hello again, I’m gonna tell you a story about an emulator that becomes 5x faster during one day. In the beginning there was an disassembler and a virtual execution environment. The disassembler liked the environment so much that they got together one day and the framework for our emulator was born. It was growing day by day, line by line – up to 20k+ lines of code – and here the “problem” begins.