New ZBots and Emulation/Virtualization

The latest malware threats from across the security forums

Moderators: Admin Team, Moderators

User avatar
Posts: 1856
Joined: Mon Jul 20, 2009 4:35 am
Area Of Expertise: General guidance and advice
experience: Not only can I turn PC on, I know most of its functions too
PC time: Alot more than I should
Location: Kent, UK

New ZBots and Emulation/Virtualization

Postby Spudz » Mon Oct 12, 2009 12:21 pm

Monday, October 12, 2009
New ZBots and Emulation/Virtualization

In my talk at the University of Florida (video link here) i pointed out how important correct error handling in Emulation/Virtualization is. Today we got new ZBot samples and they are using exactly that to avoid generic emulation / unpacking. I had 5 min time to take a couple of Screenshots and to add some comments to it. So here is a closer look to the tartup-code of these ZBots.

They call the API function "SwitchDesktop" from User32.DLL with wrong Desktophandle on purpose. The Desktophandle is always wrong - see the code at "results in invalid handle".

Usually this API functions sets it's return code ( Non-Zero for Success ) in register EAX. So they move this result to the stack and since EAX is 4 bytes (unsigned long) you see there a sub of the stackpointer with 4. Alone that code passage is highly obfuscated code and you won't see that with normal compilers, because there's no need to push EAX on the stack if you pop it afterwards without any changes in between.

So, they pop EBX (read: the value in EAX is now in EBX) and compare that with Zero. Remember: This function should return Zero, because it got an invalid handle on purpose. Basically this API must return as "Sorry can't do that, i don't know that handle - ERROR". Most emulation systems using so called "Dummy-API's". There they just return always true or always false.

Our Behavior-based Virtualization (MX-V) knows such tricks and decrypts the executable and finds interesting stuff inside the file. For example a mutex that gets created after decryption and right before process enumeration (all done in unicode) that hints that the authors of this malware do know about AVIRA Antivirus. But look for yourself: ... ation.html
Spam - Uninteresting garbage quickly deleted.
Spammer - A parasitic worm intent on creating internet misery.


Return to “Latest Malware Threats”

Who is online

Users browsing this forum: No registered users and 2 guests