We’ve all read of social engineering tactics before and how gullible users fall prey to many tactics used by virus authors. As researchers we often give recommendations to family and friends on how not to fall prey to such tricks, but once in a while we need to remind ourselves too that we are included in the intended list of targets.

As researchers we deal with different flavors of malware. Over time and with experience researchers often reach a state of “enlightenment” where you look at a sample and you know if it’s malicious. At least that’s what we believe; however there are times where we too are made to think twice. When dealing with malware it’s not uncommon for analysts to come across a note from the authors once in a while. At times they are taunts and at times they are something more like the example below. We came across a sample which contains messages for security researchers asking to not add detections for the file as this is not a virus. Considering that there are legitimate packers that put warnings for researchers to prevent falsely detecting them, such non-verbal communication can at times make one take a second look.

In the words of a malware author

Besides the fact that they seem to agree that they have authored this program :) , technically they are right - this is not a virus, but a trojan downloader !!  This trojan silently downloads arbitrary files (porn dialer in this particular case) from remote site (hxxp://[skipped].com/del/cmb_[random].exe) and executes it. (New detection added to detect both samples is “Generic.acf”)

A second example was a little more fascinating for us. Researchers often take two approaches to analysis: Static (opening up the file in Hiew or other similar tools) and Dynamic (replicating the malware). In this case we opened the file in Hiew and the first thing that was apparent was that the file had abnormal resources and import data.

Abnormal Resources

Moving past this error, we also noticed that the Entry Point mentioned in the header is 0001A001 and for an Image Base of 00400000, we should be able to get Hiew to go to the EP which should be at 0041A001. However it looks like the file ends at 00410DFF causing Hiew to fail reaching EP.

Header Information for EP

At this point in our minds we are more or less sure that this file is corrupt and it could be the end of analysis, but WAIT !!! Though we may be certain the Windows Loader will complain if we attempt to execute this sample, it actually runs like a charm. OK things are getting really fishy, so back to the drawing board we go. We re-open the file up in Hiew and this time we observe in more detail, the section header.

Section Table Entries

There are 10 odd looking sections which is fine, some of the sections have Physical Size as 0 and others overlap which though suspicious is fine too. And then we stumble upon the possible culprit. The authors have modified the Physical Size of the first two sections to FF003000 and FF000200 respectively where as their Virtual Sizes are 3000 and 1000. Patching the section sizes to 00003000 and 00000200 fixes the EP issue in Hiew allowing it to get to the correct EP.

Heck even IDA wasn’t able to load the files and gave the following errors and quit: “Virtual Array: Address space limit reached”

IDA Error

Olly on the other hand mentions the large section size but still loads it comfortably.

Clearly the authors are attempting social engineering here by crafting the section table. A second opinion is also that using this technique might trick certain AV products to mis-load such files. We’d like to hear your thoughts too…..

So the moral of the story is, don’t judge a book by its cover or malware based on only one tool, drink more coffee and keep at it. Happy Researching !!  [We currently detect this as Spy-Agent.dp.gen]