Mirror, Mirror on the wall..

December 19, 2008


Whose the PWNiest of them all. 

For NUBs edification, most malware is not that advanced.  The secret is to get past all the BS perimeter and host defenses to run yer code.  How do they do it?  Crazy ass armoring, and obfuscation to get past all that stuff.  What do I mean, well a derivative of Software “Protection”  add a little poly and metamorphism and you get the picture.  Malware samples Skyrocket, Malware detection Drops through the floor, Identity theft explodes, Botnets proliferate, everyone gets the bejesus scared right out of them. 

O yea, Government gets pwned, blames China, then spends billions of dollars and Classifies every scrap of information attached to Cyber it can get its hands on, makeing research 10 times more difficult unless you can wait the 10 years plus to get a goddam alienXFiles clearance (read SCI Full Scope Polygraph).

So to the War Weapons that allow all this to happen.  Much malware just haxors existing packer open source code and adds some polymorphism to it.  Adds a slew (OpenRCE Anti Reverse Engineering Techniques Database) of anti-dump, anti-analysis, anti-sandbox, anti-debug, anti-vm, anti-tracking trix, and then bundle/bind all their little nastieness into a package then distrubute based on Massive sql injection attacks if they can seed via lovely 0-day mass exploits like the latest IE7 fiasco.

I will list some of the most difficult tools to generically unpack that are giving security professionals nightmares.  Obviously malware authors are cheep, like to roll their own protections oblivious to the fact that you can purchase professional shit and get much better output, or just plain dam lazy.  Another take is that its so easy to bypass today’s defenses so why even bother.  Im putting my bets on lazy and easy.

THEMIDA by Oreans  some useful resources to unpack it.

themida11

cvprotopt

VMProtect by VMPsoft and how to analyze it

This thing is awesome, its basically malware running in its own Virtualization Engine.

vmprotect1

SVKP by Defendion and some analysis – probably need to run it through babelfish if you cant read Italiano

More protectors to be added later

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: