Hunting for malware with undocumented instructions

July 1, 2013 | Jaime Blasco
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

A few days ago Microsoft Malware Protection Center published a great blog post about some undocumented instruction tricks being used by several malware families.

As you can read in the post, they found some malware samples using FPU instructions  that lead to incorrect disassembly in several debuggers and disassemblers.

I decided to write a small Python script to help us identify this trick and potentially other similar ones. The script basically tries to disassemble the first ten instructions at the entry point of an executable using Pefile and Pydasm and it will warn you if some instructions can’t be disassembled.

$ python2.7 disaep.py -i ./714472dfd11dcd8efe79d592ca990b95.exe

558bec6aff68c00b4900

push ebp

mov ebp,esp

push byte 0xffffffff

push dword 0x490bc0

You can use the script to scan your malware repository for samples showing this behavior. Let’s see some examples:

/malware/000ef67eaa3be4e6adda140cecbfee792b40538f4a65430ab15fafa2a3ef6e27.exe

dcdcdfdfdfdbe9d2e9ff

Unknown Opcode

Captura de pantalla 2013-06-30 a la(s) 16.15.04

/malware/98ce5fdddf436a6951ee5a1180afd2c6d1097924d47f7f12ce3904db29c467e4.exe

dfd8556aff68a0604000

Unknown Opcode

Captura de pantalla 2013-06-30 a la(s) 16.17.49

/malware/ef5a2a3936b900063dd761817ab5bc1dc93cf52067ed3371b360d49c83ca7fa0.exe

dfdfdfdfdfdfdfdfdfdf

Unknown Opcode

Captura de pantalla 2013-06-30 a la(s) 16.32.30

As Microsoft says in the blog post most of the samples we have found are from either the Farfli or Zegost family.

Using this information we have created a Yara rule that can be used to detect these FPU’s at the entry point:

Captura de pantalla 2013-06-30 a la(s) 16.42.59

Finally Microsoft mentioned that they couldn’t find any mention to this trick in the underground forums but we found this post from last year that could be related:

http://zhidao.baidu.com/question/442279402.html

Captura de pantalla 2013-06-30 a la(s) 16.49.31

Captura de pantalla 2013-06-30 a la(s) 16.49.25

Now you can use the script we shared to hunt for new samples and instructions.

Happy hunting!

Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL