MMX gives FakeAVs a new trick

With the fake antivirus family of malware, it is no wonder the authors are able to develop new complex, custom packers to encrypt their malicious code. With each new packer, thousands of different polymorphic variants are released, making any attempt at signature-base detection completely futile.

Recently I noticed a new technique this family is employing: rather than using only the standard Intel instruction set (like almost all programs), they have begun to also throw in instructions from the multimedia instructions (MMX) set, which was primarily developed to aid in highly computationally-expensive multimedia tasks, like gaming and video encoding. However, their usage in these packers is in no way to make their code run more efficiently.

Disassembly view of FakeAV with MMX
Disassembly view of WinPC Defender variant

In the above code from a fake antivirus program called WinPC Defender, the MMX instructions (highlighted in red) are used to move numbers to and from the MMX processor without actually performing any operations to change their value. So why would they bother doing this?

It is no secret that antivirus engines use in-built easier to detect, as a legitimate program would almost certainly never use MMX instructions in this way when first loaded.

These variants are generically detected by Sophos as Mal/FakeVirPk-A. Whether this technique will be used more sophisticatedly in future variants is yet to be seen.