Malware Trying to Avoid Some Countries

There are different techniques that can be used by a program to identify in which country it has been installed.  It can check for time zone information, public IP addresses or even domain names.  Lately, we have seen two different malware families trying to discover their geographic location in an effort to avoid infecting PCs in specific countries.

We have found some variants of the The Win32/TrojanDownloader.Swizzor using the following code:

 call    GetSystemDefaultLangID ; Indirect Call Near Procedure
[...]
mov     edi, eax
[...]
cmp     di, 419h 
jz      end_function
   

This code calls the GetSystemDefaultLangID function and compares the result to a constant, 0×419.  Browsing through MSDN documentation reveals that this constant’s value translates to LANG_RUSSIAN.  It turns out that these variants of Win32/TrojanDownloader.Swizzor will exit before infecting a computer, if they find out that the default system language is Russian.

We have also identified the following code in the earliest variants of the Win32/Conficker malware:

push    edi             ; lpList
push    esi             ; nBuff
call    ebx ; GetKeyboardLayoutList
cmp     esi, eax       
jnz     short list_not_found 
dec     esi
cmp     word ptr [edi+esi*4], 422h
jz      short dont_install

Here, the malware tries to retrieve a list of keyboard layouts and works through   that list.  If a layout is found with the language identifier of 0×422, the routine terminates  and the malware is not installed.  This means that some variants of the Win32/Conficker family will not install on a computer that uses an Ukrainian keyboard layout.  Please note that this behavior is only present in W32/Conficker.A.   Later variants of this malware infect any PC they can access without checking the keyboard layout.


What we are seeing now is probably the beginning of a new trend.  Malware authors will try to avoid infecting PCs in specific countries to limit the risk of legal actions taken against them.  In most countries, there often needs to be a victim or complaint before law enforcement agencies  take legal action against an offender in cases of malware infection.  In cases where an attacker only targets victims outside of his country, it is much harder for law enforcement agencies to take action.

Special thanks to Sebastien Doucet and Volodymyr Pikhur for their help.

Pierre-Marc Bureau

Researcher

Author Pierre-Marc Bureau, ESET

  • Miroslav Majtaz

    Hello,

    according to the research:

    “… malware tries to retrieve a list of keyboard layouts and works through that list. If a layout is found with the language identifier of 0×422, the routine terminates and the malware is not installed. This means that some variants of the Win32/Conficker family will not install on a computer that uses an Ukrainian keyboard layout.”

    But F-secure speaks about 14,767 compromised computers in Ukraine (full article at http://www.f-secure.com/weblog/archives/00001579.html).

    This might look like slight contradiction between these two findings. However, there is an update from ESET’s viruslab stating that new .AA variant and above infect *ALL* computers without any restrictions. Keyboard layout check present in old .A variant.

  • http://www.eset.com/threat-center Pierre-Marc Bureau

    Hi,

    Thanks for your comment. I have changed the wording in the blog post to make it clear that we are only talking about the first variant of Conficker, labeled as Win32/Conficker.A by ESET Antivirus. Later variants of this threat can infect *any* PC, regardless of the keyboard layout it uses.

  • http://www.alexcreativeconsulting.com alexb

    there are tons of variations of viruses when they come out, spin offs that are less widespread. what language is the above code written in?

  • Pierre-Marc Bureau

    Hi alexb,

    The code we have analysed in this blog post was probably written in C but we only had access to the compiled executable. Thus we analyzed the assembly code from the executable.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

4 articles related to:
Hot Topic
15 Jan 2009
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.