When the needle dwarfs the haystack

Malware analysis isnât just about examining the current samples but also at predicting trends and attempting to stay ahead of the bad guys. By looking at samples which arenât being detected by our generic identities we hope to see the new methods employed by malware authors to avoid detection.

The latest round of samples from the Tibs family hitting a mailbox near you attempt to thwart emulation (and thus dynamic analysis and detection in the field) by utilizing known return values of various APIs that a typical anti-virus engine wouldnât by default know.

In the screenshot, the CopyIcon is one such function exported from user32.dll â here we see that the argument to CopyIcon is the uninitialized value of ECX (most likely invalid) and the branch following the API is utilizing some known outcome to either continue normal execution or branch to some other address (causing an eventual crash.)

To the trained eye this apparently random and unexpected use of APIs is often an indication that something is being obscured and so the sample warrants closer inspection.

Thus in an attempt to hide malicious functionality the malware authors have inadvertently drawn attention to the proverbial needle in a haystack.

Posted on March 19th, 2008 by Pete, SophosLabs AU
Filed under: General, Malware

Windows 7 security - A great leap forward or business as usual?

About SophosLabs

SophosLabs protects businesses from known and emerging malware - viruses, rootkits and spyware - and other computer threats like phishing, spam and scams. Learn more about the people who write this blog.

RSS feed

Hot video

International Kill-A-Zombie Day

SophosLabs blog