Archive for the ‘Packer Researching’ Category.
2010/02/15, 11:05 pm
First, Let’s take a look at two flow graphics
Figure 1 – GoolBot(Left) and FakeAV(Right)
From Figure 1, we may find many differences between them. The major one maybe is, there is a suspicious circle in FakeAV(Right). but any trained eye will find that they are all packed(Many Fake APIs placed ahead which is a strong characteristics of custom packers). And, we may make a guess, which is, they use different custom packers. But, Do they? Before answer that, let’s try to dig more from GoolBot.
Continue reading ‘Malware’s Wardrobe II – FakeAV and GoolBot, Looks Like They Went To The Same Shop’ »
2010/01/21, 9:32 pm
Yet again we arrived to witness Bredolab’s aftermath. After some days of seeding itself with the help of its infamous friend – Pushdo/Cutwail/Webwail Botnet – Bredolab just returned to a single malware downloader – FakeAV downloader. And, it wears the new clothes, dream of giving us a surprise. Will they?
Figure 1 – Fake API Calls
It seems the new clothes have some decorations. From Figure 1, we could see that the block full-filled with Fake API calls(with invalid parameters). The purpose of doing this is obvious, attempt to stop defective emulators. Are those fake API calls useless?