W32/Xpaj – Know Your Polymorphic Enemy

The latest malware threats from across the security forums

Moderators: Admin Team, Moderators

User avatar
Spudz
Posts: 1856
Joined: Mon Jul 20, 2009 4:35 am
Area Of Expertise: General guidance and advice
experience: Not only can I turn PC on, I know most of its functions too
PC time: Alot more than I should
Location: Kent, UK
Contact:

W32/Xpaj – Know Your Polymorphic Enemy

Postby Spudz » Tue Sep 22, 2009 3:22 am

Nowadays, most anti-virus products can deal with viruses relatively easily using a variety of technology. Decent emulator-based scan engines can handle a majority of polymorphic and metamorphic viruses, including those that use the entry-point obscuring technique (EPO). But when it comes to viruses with delay load and random code blocks insertion such as W32/Zmist (aka Mistfall) – code emulators are not the best approach to consider. We came across a new W32/Xpaj variant which is actively spreading recently. It utilizes well known techniques to evade detection, but are otherwise, seldom found in live virus analysis.

The new W32/Xpaj uses random code block integration technique to infect files. It does not change the original entry point of the file. Instead, W32/Xpaj builds several code blocks responsible for different functionalities and moves them into random locations throughout code section of the infected file. It is similar to what W32/Zmist used to employ, but uses code replacement, instead of code insertion.

Its polymorphic decryptor is represented by a number of code blocks linked by unconditional jumps. Once executed, the polymorphic decryptor gains control and performs different tasks:

1. Saving the original state of the infected application and preserving all the registers used by the virus;
2. Changing the protection flags of the memory virus body is located at;
3. Decrypting virus body;
4. Jumping to the decrypted virus body, etc.


http://www.avertlabs.com/research/blog/ ... hic-enemy/
Spam - Uninteresting garbage quickly deleted.
Spammer - A parasitic worm intent on creating internet misery.

Image

User avatar
Spudz
Posts: 1856
Joined: Mon Jul 20, 2009 4:35 am
Area Of Expertise: General guidance and advice
experience: Not only can I turn PC on, I know most of its functions too
PC time: Alot more than I should
Location: Kent, UK
Contact:

Re: W32/Xpaj – Know Your Polymorphic Enemy

Postby Spudz » Thu Sep 24, 2009 3:34 am

This is now also detected by CA as shown here: http://www.ca.com/us/securityadvisor/vi ... x?id=79776
Spam - Uninteresting garbage quickly deleted.
Spammer - A parasitic worm intent on creating internet misery.

Image

User avatar
Spudz
Posts: 1856
Joined: Mon Jul 20, 2009 4:35 am
Area Of Expertise: General guidance and advice
experience: Not only can I turn PC on, I know most of its functions too
PC time: Alot more than I should
Location: Kent, UK
Contact:

Re: W32/Xpaj – Know Your Polymorphic Enemy

Postby Spudz » Thu Sep 24, 2009 4:56 pm

Some extra info on this polymorphic virus threat.

Win32/Xpaj.A analysis notes

Published: September 24 2009, 06:13 PM
by Benjamin Googins

Analysis completed by engineers Taras Malivanchuk and Kenneth Co Yu.

Win32/Xpaj.A is an EPO (entry point obfuscation) polymorphic virus. It specifically sets out to make anti-virus analysis difficult and slow down antivirus scans. The analysis notes below should be read in combination with the high level virus description, here: http://www.ca.com/us/securityadvisor/vi ... x?id=79776

Win32/Xpaj.A infects files with the extensions exe, dll, sys and scr using the findfirst/findnext functions. The virus first searches the system directory (C:\Windows\System32 or C:\Winnt\system32, for example). Then it moves on to files at the root directory, typically C:\.

For clarification, its predecessor, the Win32/Xpaj.B virus, was a simple non-encrypted EPO virus that appended itself to the last section and replacing some call (E8) instruction arguments in host's code by calls to the virus.


http://community.ca.com/blogs/securitya ... notes.aspx
Spam - Uninteresting garbage quickly deleted.
Spammer - A parasitic worm intent on creating internet misery.

Image

User avatar
Spudz
Posts: 1856
Joined: Mon Jul 20, 2009 4:35 am
Area Of Expertise: General guidance and advice
experience: Not only can I turn PC on, I know most of its functions too
PC time: Alot more than I should
Location: Kent, UK
Contact:

Re: W32/Xpaj – Know Your Polymorphic Enemy

Postby Spudz » Thu Oct 01, 2009 6:04 am

W32.Xpaj.B – An Upper Crust File Infector
Piotr Krysiuk
September 30th, 2009

It is not very common for a file infector to do more than simply introduce trivial modifications to the files it infects. Virus authors usually avoid complex modifications to the files because of the possibility of corruption. W32.Xpaj.B is one of exceptions.

W32.Xpaj.B is an entry-point obscuring, polymorphic file infector. The virus is not completely new and shares some of its characteristics with its predecessor, W32.Xpaj, first seen in June 2008. What sets this creature apart is the amount of effort its authors have invested into hiding their malicious code in the files it infects.

W32.XPaj.B is more sophisticated than your average file infector. To make finding its malicious code difficult, the virus avoids putting any obvious signs in the infected files. Unlike most simple viruses, it doesn’t attempt to execute the virus code by hijacking control when the infected file is started. Instead, the virus overwrites some subroutines from the infected files with its own code and then stores a copy of the overwritten subroutines that will execute after it gains control. However, this infection method does not guarantee that the virus code will execute every time an infected file is executed. When the virus overwrites a subroutine that is used for a specific task, the virus code will only execute when the user uses this functionality in the application.

However, it’s possible that overwritten subroutines may be unreachable after infection. Infecting select subroutines—as opposed to the entry point of the application—is not without risk to the author of Xpaj; rather, it’s entirely possible that the newly overwritten subroutines may not actually be executed during runtime. To improve its chances of being executed, the virus usually overwrites more than one subroutine and also redirects some other unrelated calls to point to its own code.


http://www.symantec.com/connect/blogs/w ... e-infector
Spam - Uninteresting garbage quickly deleted.
Spammer - A parasitic worm intent on creating internet misery.

Image

User avatar
Spudz
Posts: 1856
Joined: Mon Jul 20, 2009 4:35 am
Area Of Expertise: General guidance and advice
experience: Not only can I turn PC on, I know most of its functions too
PC time: Alot more than I should
Location: Kent, UK
Contact:

Re: W32/Xpaj – Know Your Polymorphic Enemy

Postby Spudz » Tue Oct 06, 2009 2:23 pm

W32/Xpaj Botnet Growing Rapidly

Tuesday October 6, 2009 at 10:08 am CST
Posted by Vitaly Zaytsev

Two weeks ago I blogged about a new virus–W32/Xpaj–found in the wild by McAfee researchers and actively spreading around the world. Since then we have closely monitored the change in spread and severity of the virus, improved generic detection for future W32/Xpaj instances, and added cleaning and proper repair for all the files infected by the virus. Today I want to share more news related to this threat.

Further analysis has revealed some interesting details about the malicious behavior of W32/Xpaj. The Virus is building a widespread “zombie” network, by taking control thousands of Internet-connected computers. The new botnet is in its infancy, although thousands of machines have been infected during last two weeks. The botnet infects computers around the world and has spread across many countries. The attacks are mostly aimed at enterprises, but they have now spread to consumer machines as well. Based on multiple characteristics and our own research, the virus is most probably the work of eastern European cybercriminals.

Most bots are connected to a central location from where one machine can control the entire botnet. W32/Xpaj, on the other hand, deploys several control channels to communicate and control its bots. It employs the same techniques used by Srizbi and Conficker; that is, it uses randomly generated DNS names for backup control servers. Even though W32/Xpaj does not know where the control server is, it knows how to search for it, making it possible to predict which host is in use on a given day.


http://www.avertlabs.com/research/blog/ ... g-rapidly/
Spam - Uninteresting garbage quickly deleted.
Spammer - A parasitic worm intent on creating internet misery.

Image

User avatar
Mystery
Posts: 232
Joined: Fri Jul 10, 2009 7:56 am
Gender: Female
experience: Not only can I turn PC on, I know most of its functions too
PC time: Alot more than I should
Location: Switzerland
Contact:

Re: W32/Xpaj – Know Your Polymorphic Enemy

Postby Mystery » Wed Oct 07, 2009 1:47 am

Bad news :(
Thanks for the info Spudz :)
Why do geeks think Halloween and Christmas occur on the same day?
Because 31oct = 25dec ;)


Return to “Latest Malware Threats”

Who is online

Users browsing this forum: No registered users and 2 guests