Sophos Cloud OptixEarlier this week, I investigated some virtual machine aware malware. I was specifically looking for samples that use RedPill technique, discovered by Joanna Rutkowska. More precisely, I was interested in samples that “re-use” the published source code. I did a search through a collection of more than a million malware samples for the short 8 byte long function that uses sidt x86 instruction. The search returned a little over 50 results.
Most of the samples using the code are variants of various IRC bot families. Quite a few of them combine Redpill code with code comparing the first 5 bytes of MessageBoxA API with a hard-coded byte sequence, presumably to detect if the bot is running inside an emulator or if the function is hooked by some sort of API monitoring or debugging software.
Almost all of the samples correctly compare hard-coded byte sequence with the MessageBoxA prolog code byte by byte, except for one sample that completely misses the point. The offending code is a part of an early variant of an IRC bot whose developer decided to call it Ogbot. The function to check whether the code is hooked is very similar to the code used by other IRC bots, which again implies code sharing. The amusing part is the byte comparison.
The code is intended to check if the first word (16-bit) of the MessageBoxA API function is 0x00c8, but instead compares it with “0x7830” since it internally represents the bytes 0xc8,0x00 as 0x30,0x78,0x63,0x38,0x2c,0x30,0x78,0x30,0x30 (decoded from ASCII it gives the textual string “0xc8,0x00”). The incorrect comparison causes part of the bot functionality never to be executed, even if the bot is running outside a controlled environment.
This made me wonder if the Ogbot writer(s) missed the lesson when their teacher explained how you should not compare apples and oranges. It is quite a serious mistake which shows that there are still a few “amateur” virus writers around that do not fully understand different types of variables and the way they are stored in memory. Writing viruses is not the best way to learn programming.