Malware exploiting x86 machine code redundancy

Every anti-virus product on the market in these days is furnished with an emulator which provides a safe sandbox for running executables files, before they get loaded and executed in the proper environment. By definition an emulator will never be exactly like ‘the real thing’, and malware authors continually try to exploit this fact in order to evade detection.

In that sense x86 machine code is not helpful for us, since it allows certain assembly instructions to be encoded in different ways. A nice list of some of these tricks can be seen here .

While analyzing in IDA the dropper component of a pretty famous rootkit, it was quite obvious that something weird was going on.

Courtesy of the square bracket at the end of the mov disassembly listing I could notice that the SIB byte ( 0x25, 0x65, 0xA5, 0xE5) was used although it doesn’t have any real effect. You’re free to swap those bytes and if you are in the mood of fixing the offsets of the code around, you could replace it with a shorter encoding.

It’s quite evident that this is done intentionally in order to break emulation, since this sequence of mov instructions is at the entry point of this dropper, while a similar piece of code in this very same sample uses a more standard encoding.