W32/Xpaj: Know Your Polymorphic Enemy
Monday September 21, 2009 at 11:55 pm CST
Posted by Vitaly Zaytsev
Nowadays, most anti-virus products can deal with viruses relatively easily using a variety of technologies. Decent emulator-based scan engines can handle a majority of polymorphic and metamorphic viruses, including those that use the entry-point obscuring technique (EPO). But when it comes to viruses with delay load and random code blocks insertion such as W32/Zmist, (a.k.a. Mistfall) code emulators are not the best approach. We recently came across a new W32/Xpaj variant that is actively spreading. It utilizes well-known techniques to evade detection that are otherwise seldom found in live virus analysis.
The new W32/Xpaj uses a random code block integration technique to infect files. It does not change the original entry point of the file. Instead, W32/Xpaj builds several code blocks responsible for different functionalities and moves them into random locations throughout the code section of the infected file. It is similar to what W32/Zmist used to employ, but W32/Xpaj uses code replacement instead of code insertion.
Its polymorphic decryptor is represented by a number of code blocks linked by unconditional jumps. Once executed, the polymorphic decryptor gains control and performs different tasks:
- Saving the original state of the infected application and preserving all the registers used by the virus
- Changing the protection flags of the memory where the virus body is located
- Decrypting the virus body
- Jumping to the decrypted virus body, etc.
Each task may be located in a separate block of code or combined in one big block.
Once decryption is done, control passes to the main virus body, usually located in a different section. Its authors decided to use register-based jumps instead of relative jumps. The former, together with a heavily encrypted virus body and stolen functions, make this new variant more complicated to repair:
In an attempt to make sure the virus is executed at least once, W32/Xpaj searches and replaces a number of call instructions to point to the beginning of one of the virus code blocks created during the infection.
The random location of the polymorphic code blocks means that for some samples, code emulators may never reach the viral instructions. Such samples may present a hidden surprise to some anti-virus vendors, which might not be able to detect all instances of W32/Xpaj, missing a certain percentage of infected files. However, in other cases, the virus may never gain control at all, such as in the following samples found in the wild:
While decrypting the virus body, W32/Xpaj may generate millions of iterations. Code emulators without decent support of dynamic code translation may fail to run it through correctly. It integrates itself into infected files and becomes a part of the host program control flow. Original functions replaced with the virus decryptor are saved, encoded, and are located in the same section with the virus body.
This variant of W32/Xpaj increases the virtual size of the section containing the virus body by 150KB. It is heavily obfuscated and contains functionality to receive further instructions from remote servers:
- tooratios.com (188.8.131.52)
- abdulahuy.com (184.108.40.206)
The server is currently active and located in Belgium, and sends instructions through the following file:
Interestingly, the malware authors decided to monitor its own virus activity and included logging support to this beast. Every file infected with W32/Xpaj reports to the above-mentioned server and sends information about the system (OS version, Service Pack, IP, etc.) on which the infected file is running:
os=00000005.00000001.02000B28 & amp;cm=18B51294&adn=A120BB0F & amp;knv=00000012 & amp;hdd=002F606E & amp;cid=0000000C & amp;vvr=00000001
The majority of AV vendors do not currently detect this W32/Xpaj variant (as seen in these VirusTotal results):