As you can read in the post, they found some malware samples using FPU instructions that lead to incorrect disassembly in several debuggers and disassemblers.
I decided to write a small Python script to help us identify this trick and potentially other similar ones. The script basically tries to disassemble the first ten instructions at the entry point of an executable using Pefile and Pydasm and it will warn you if some instructions can’t be disassembled.
$ python2.7 disaep.py -i ./714472dfd11dcd8efe79d592ca990b95.exe
558bec6aff68c00b4900
push ebp
mov ebp,esp
push byte 0xffffffff
push dword 0x490bc0
You can use the script to scan your malware repository for samples showing this behavior. Let’s see some examples:
/malware/000ef67eaa3be4e6adda140cecbfee792b40538f4a65430ab15fafa2a3ef6e27.exe
dcdcdfdfdfdbe9d2e9ff
Unknown Opcode
/malware/98ce5fdddf436a6951ee5a1180afd2c6d1097924d47f7f12ce3904db29c467e4.exe
dfd8556aff68a0604000
Unknown Opcode
/malware/ef5a2a3936b900063dd761817ab5bc1dc93cf52067ed3371b360d49c83ca7fa0.exe
dfdfdfdfdfdfdfdfdfdf
Unknown Opcode
As Microsoft says in the blog post most of the samples we have found are from either the Farfli or Zegost family.
Using this information we have created a Yara rule that can be used to detect these FPU’s at the entry point:
Finally Microsoft mentioned that they couldn’t find any mention to this trick in the underground forums but we found this post from last year that could be related:
http://zhidao.baidu.com/question/442279402.html
Now you can use the script we shared to hunt for new samples and instructions.
Happy hunting!
