Come along, little doggy, come along

The most common malware technique for avoiding detection is to create loads of “fresh” variants. Actually, the component that changes so frequently is the packer – the outer layer of the malware, used by malware authors to encrypt the malware and make it harder to detect – whilst the functionality of the malicious code inside remains the same. The packer writer's job is to modify the "wrapper" when the malware is detected by antivirus engines. By using well-written generic signatures, we’re able to detect large quantities of malware variants, making the malware distributor's job a lot harder.

During our daily sample processing we recently stumbled upon a “greeting” hidden in one such packer:

hey nod32 guys, your last work was very good, i was really surprised. I spent over 4 hours to fix these detections. But the better man still stands. Come along little doggy come along. MUHAHAHAHAHA

It’s good to know that our generic detection gave the author of this packer a hard time. This particular example was the injector component of Win32/Spy.Zbot.YW (a variant of the Zeus trojan). But the same packer was also found supporting other malware families, which demonstrates how things work in the malware business: the author of the packer provides it as a service to other criminals using the Zeus malware kit.

Robert Lipovsky
Malware Researcher

 

Author Robert Lipovsky, ESET

  • NoobStick

    Hello Robert L.
    Very catchy title and a good blog entry about how easy malware creators can pacts detected malware to a new version.
    Best Regards ans take care
    NoobSrick

  • Peter French

    Great article! Thank you Robert.
     

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.