📜 ⬆️ ⬇️

Peripeteia detection and unpacking

Hello!

Analyzing the work of the recently appeared Sality.bh , I discovered an interesting moment with the detection of its components, which I would like to talk about. Truly, the ways of the Virlabs are inscrutable! :)

So, during the system infection, this representative of the Sality family creates a series of malicious files in the% temp% directory with the functionality of stealing passwords and providing unauthorized access to the system over the network.

At the same time, a slightly obfuscated autorun.inf is created on each disk (it, of course, is hidden from the user):
[AutoRun]
;LCrpr
open =qukai.exe
;sFhlFy IjHXVbXTuwvFsUusCbckP ICvmveywrEcK
Shell\exPlore\Command= qukai.exe
;xPRxeLQpYkF ajYOvwhXffjEul GuYigjuhVTq
shElL\Open\defAuLt=1

;eodORB
SheLl\oPen\COMmaND= qukai.exe

;yWvgURCkrpRrKuhxrUvCCjvbpKkD
SheLL\AuTOpLaY\ComManD= qukai.exe

and also the little body of the malware packed by Safeguard 1.03 -> Simonzh.
')
At the same time, the author is not very worried about backdoors / passvord steelers, since they are packaged much easier - using UPX.

It would seem that everything is normal and logical. Only the lack of logic caused me that in order to work with the packaged backdoor I had to disable the antivirus, and with the unpacked one - no.

It turned out that everything is simple - the UPX-packed version has a stable detection from a number of products , for example, Kaspersky confidently considers it Backdoor.Win32.Mazben.es. But unpacked is already safe according to Kaspersky, moreover - it is completely different according to some antiviruses .

I tried to make a table reflecting the picture. Unfortunately, for some reason, VirusTotal in one case displayed, and in the other - there is no information of the following antiviruses: BitDefender, Authentium, Command, FSecure, GData, nProtect, Sunbelt, VIPRE. For this reason, they are not included in the table. So, the result:


Interestingly, Avast, AVG, Emsisoft, E-Trust-Vet, F-Prot (though only for heuristics), Ikarus, Jiangmin, Microsoft, NOD32 (also heuristics), PCTools, Symantec and TrendMicro . At the same time, Emsisoft and Ikarus do not quite correctly consider this file as a representative of Sality, in fact it is one of the implemented modules, lacking the ability to infect files.

Antiy-AVL, Comodo (although there was a detector here only on heuristics), eSafe, Fortinet, Kaspersky, McAfee, Rising, Sophos, SUPERAntiSpyware, ViRobot . For unknown reasons, these antiviruses (or specialists of these companies) detect the packed version, but do not detect the unpacked version. Is there no UPX unpacking procedure in the antivirus? I have no answer to this question.

PS This article does not discuss the effectiveness of the treatment of executable files affected by Sality.bh.

Source: https://habr.com/ru/post/108456/


All Articles