A Virtual World of Mal-Intent

Filed Under: Malware, SophosLabs

I often notice that new Virtumundo mutants are released into the wild. So I equally often find myself looking at samples received by SophosLabs and finding ways to generically detect this family of malware. It's come to the point where one can look at the code of a sample and instantly determine its inclusion in the Virtumundo family just from the customised packer.

While the majority of Virtumundo samples encountered by SophosLabs' customers are proactively detected as Troj/Virtum-Gen it should be highlighted that authors are constantly updating their malware in order to evade detection. The techniques that these nasty folk employ create polymorphic code, that changes between samples. As a result, the majority of malware detected by our generic identities have never been seen previously. It's a race to see who can get a step ahead. The bad guys, writing their code to change and obfuscate as much as possible, and the good guys whose goal it is to creatively code robust identities that accommodate unknown eventualities.

Thankfully, though, the core features of the offending code doesn't change a great deal as the program has just been tweaked. It's normally possible to spot polymorphic code from a mile away, without glasses and facing the wrong direction. This is shown below.
Virtum_blog

The code displayed in the above picture provides an example of an implemented technique, in many malware samples, that aims to evade detection. There are a number of instructions that are considered NOP (No-operation) instructions; though at first glance this may not appear to be so. These are labelled as such because they are programmatically inert. Their purpose is to simply break signature-based detection. This is a feature of polymorphism.

Luckily the techies here in the Lab write identities focusing primarily on behavioural and feature-like characteristics of samples. These characteristics have to be similar from sample to sample in order for the malicious code to maintain its functionality. The 'core' malicious functionality exhibits behaviour which allows Sophos to proactively detect malware that may have different code. Therefore this type of code polymorphism isn't always successful; much to the authors' chagrin.

Sorry bad guys.

You might like