Comments on: Funny coded malware

By: Charity

Charity — Tue, 16 Jun 2009 12:57:58 +0000

Try and protect your computer.
If you are like me then you have probably tired many different types of scans to try and protect your computer. There are many different options available but I have found that most of them pick up the same bugs whether you pay for the scan or download a free version. Orbasoft Antispyware (http://www.orbasoft.com) is one of the best that I have found so far and it cost less than many of the other well-known scans on the market today. If you are searching for a good scan I suggest that you check out the antispyware solution from Orbasoft.

By: metr0

metr0 — Mon, 04 Aug 2008 11:36:57 +0000

I experienced the same behaviour with MSVC9. Speed Optimisation causes the compiler to replace loop with a couple of linear instructions, behaving the same. But I’m not sure if a compiler would have done it in such a big loop? 0o

Concerning the GPA part with later error checking, I think that’s fine if the APIs aren’t used in between – even though it’s a lack of speed since the whole upcoming code might rely on all APIs being resolved correctly. ;)

By: apuromafo

apuromafo — Wed, 09 Jul 2008 14:47:42 +0000

nice work done :) but where the malware xploit the msn?..well is a misterius :)
quite nice , well very nice :)

By: zairon

zairon — Thu, 03 Jul 2008 20:15:16 +0000

File was produces by Visual C++ v6, and according to “Developing Optimized Code with Microsoft Visual C++ 6.0″ technical article (of course available at microsoft.com) :
“Loop unrolling allows the compiler to turn the loop into straight-line code, which improves speed at the expense of size. On x86 processors, loop unrolling can make a dramatic speed improvement if multiple-byte operations can replace single-byte operations that run in the same number of clocks.”

I have to read more than few lines from an article, but from the 3 examples above this concept could be fully applied to the first one only (the big decryption block).
It still doesn’t have sense right now. I’ll investigate a bit more later. Thx.

By: R

Thu, 03 Jul 2008 19:59:32 +0000

Speed optimisation, no jump back, no roll count and probably some cool stuff with the pipeline too.

By: zairon

zairon — Thu, 03 Jul 2008 19:41:41 +0000

Thx for the info, I didn’t know the existence of such parameters… my fault.
Now the question is: why do you need to unroll loops?

By: R

Thu, 03 Jul 2008 19:31:53 +0000

I am not sure if you missed something really simple or I didn’t understand your post, but it’s a standard compiler optimisation to unrool loops in decryption routines. I think that -O3 or inlining optimisations will do it. Otherwise check Intel C compiler’s optimisation parameters, there are tons of them like:

/Qunroll[n] set maximum number of times to unroll loops. Omit n to use
default heuristics. Use n=0 to disable loop unroller.

/Qopt-jump-tables:
default – let the compiler decide when a jump table, a
series of if-then-else constructs or a
combination is generated
never – do not generate jump tables and always use
if-then-else constructs
large – generate jump tables up to a certain pre-
defined size (64K entries)

/Qinline-min-size=
set size limit for inlining small routines

By: neox

neox — Mon, 30 Jun 2008 09:06:48 +0000

I remember seeing an option to unfold loops for speed optimization.

By: zairon

zairon — Sun, 29 Jun 2008 18:05:22 +0000

As I wrote in the post I got it from Malware Domain List forum, it’s a msn malware and you should be able to find it easily (There should be a copy at Offensive Computing as well). MD5 of the file I have is 0DA60B4D34D96FD50CC06DDBC87F0891.
There are some other samples out there (same family I suppose), from a quick glance they are almost equal except the decryption key…

By: 0x00

0x00 — Sun, 29 Jun 2008 15:02:15 +0000

plz drop md5 here or upload malware .