19 March 2008 08:29 GMT
When the needle dwarfs the haystack
Malware analysis isn't just about examining the current samples but also at predicting trends and attempting to stay ahead of the bad guys. By looking at samples which aren't being detected by our generic identities we hope to see the new methods employed by malware authors to avoid detection.
The latest round of samples from the Tibs family hitting a mailbox near you attempt to thwart emulation (and thus dynamic analysis and detection in the field) by utilizing known return values of various APIs that a typical anti-virus engine wouldn't by default know.
In the screenshot, the CopyIcon is one such function exported from user32.dll - here we see that the argument to CopyIcon is the uninitialized value of ECX (most likely invalid) and the branch following the API is utilizing some known outcome to either continue normal execution or branch to some other address (causing an eventual crash.)
To the trained eye this apparently random and unexpected use of APIs is often an indication that something is being obscured and so the sample warrants closer inspection.
Thus in an attempt to hide malicious functionality the malware authors have inadvertently drawn attention to the proverbial needle in a haystack.
Pete, SophosLabs AU
