As virus analysts, all of us have to be constantly on our toes because honestly we never know what to expect.
Let me take you through a quick summary of what happens in a typical analysis of a malware sample.
Today I encountered a sample (which I subsequently created detection for as Troj/FakeAV-XR). When I ran it on my test system, the sample proceeded to send out an HTTP message to an IP address and created a few new files.
As is customary, I check my log files and now my monitoring tools are strangely signalling to me that the innocent and humble Windows file, beep.sys has not only changed but also mysteriously grown in file size.
Oooh, my interest has definitely been raised.
A quick load of the malformed beep.sys in my trusty IDA revealed at first nothing strange at the file’s Entry Point as shown below.
So far so good. However, peering deeper into the file, something caught my eye:
It doesn’t take Einstein to realise that this is a list containing the names of various anti-virus and security related applications and processes. Naturally, if we follow on the code from there, we arrive at this location:
From the code, we can now clearly see that the new malformed beep.sys has now acquired the ability to terminate various anti-virus and security applications and processes. A subsequent analysis of the remainder of the file only proved what I had known, the file beep.sys is malicious.
The interesting part of all of this is that instead of following the tried and trusted method of adding/modifying the appropriate registry entries so as to load the malware on startup or logon, this particular malware practically loads by default by Windows itself.
My colleague, Pete, highlighted this trick in an earlier blog post so I won’t dwell on it again but suffice to say, it’s just another way of stealthing malware.
Oh, did I forget to mention that Sophos pro-actively detects this malicious beep.sys as Mal/FakeAle-C? Nice, eh? ;-)