10 comments on “Funny coded malware

  1. As I wrote in the post I got it from Malware Domain List forum, it’s a msn malware and you should be able to find it easily (There should be a copy at Offensive Computing as well). MD5 of the file I have is 0DA60B4D34D96FD50CC06DDBC87F0891.
    There are some other samples out there (same family I suppose), from a quick glance they are almost equal except the decryption key…

  2. I am not sure if you missed something really simple or I didn’t understand your post, but it’s a standard compiler optimisation to unrool loops in decryption routines. I think that -O3 or inlining optimisations will do it. Otherwise check Intel C compiler’s optimisation parameters, there are tons of them like:

    /Qunroll[n] set maximum number of times to unroll loops. Omit n to use
    default heuristics. Use n=0 to disable loop unroller.

    /Qopt-jump-tables:
    default – let the compiler decide when a jump table, a
    series of if-then-else constructs or a
    combination is generated
    never – do not generate jump tables and always use
    if-then-else constructs
    large – generate jump tables up to a certain pre-
    defined size (64K entries)

    /Qinline-min-size=
    set size limit for inlining small routines

  3. Thx for the info, I didn’t know the existence of such parameters… my fault.
    Now the question is: why do you need to unroll loops?

  4. Speed optimisation, no jump back, no roll count and probably some cool stuff with the pipeline too.

  5. File was produces by Visual C++ v6, and according to “Developing Optimized Code with Microsoft Visual C++ 6.0” technical article (of course available at microsoft.com) :
    “Loop unrolling allows the compiler to turn the loop into straight-line code, which improves speed at the expense of size. On x86 processors, loop unrolling can make a dramatic speed improvement if multiple-byte operations can replace single-byte operations that run in the same number of clocks.”

    I have to read more than few lines from an article, but from the 3 examples above this concept could be fully applied to the first one only (the big decryption block).
    It still doesn’t have sense right now. I’ll investigate a bit more later. Thx.

  6. nice work done :) but where the malware xploit the msn?..well is a misterius :)
    quite nice , well very nice :)

  7. I experienced the same behaviour with MSVC9. Speed Optimisation causes the compiler to replace loop with a couple of linear instructions, behaving the same. But I’m not sure if a compiler would have done it in such a big loop? 0o

    Concerning the GPA part with later error checking, I think that’s fine if the APIs aren’t used in between – even though it’s a lack of speed since the whole upcoming code might rely on all APIs being resolved correctly. ;)

  8. Try and protect your computer.
    If you are like me then you have probably tired many different types of scans to try and protect your computer. There are many different options available but I have found that most of them pick up the same bugs whether you pay for the scan or download a free version. Orbasoft Antispyware (http://www.orbasoft.com) is one of the best that I have found so far and it cost less than many of the other well-known scans on the market today. If you are searching for a good scan I suggest that you check out the antispyware solution from Orbasoft.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s