Sophos Cloud Optix
Late last week Sophos received a handful of samples which, from cursory static analysis, looked parasitic, given the various tell-tale signs of patched entrypoint, execution in another section and restoration of stolen bytes.
Continuing the analysis showed that the code in the last section was position-independent, located KERNEL32 exports dynamically using hashes, and copied itself to newly allocated memory before decrypting further parts of its code. By now I was priming myself for a disinfection-style identity (one which must fix the infected host) and setting up for replicant generation but then something odd…
Parasitic viruses aim to propagate themselves, typically by finding and infecting other files on disk, sometimes even processes in memory. However this sample didn’t appear to obtain any of the expected APIs to accomplish this. Digging further I notice that an embedded PE file is decrypted and dropped onto the local filesystem, then executed. The dropped component has no parasitic capability and was, infact, already detected as Mal/Packer.
So I finally figure this wasn’t a parasitic virus, despite a lot of indications otherwise (it was missing any sort of infection engine), or even a worm, and thus it became Mal/Helpud-A.
The question still remains, was this malware author trying to be clever and failing, or was he having an identity crisis?