DDoS and Security Reports

Every now and then I get a but annoyed with malware writers. One instance of this is when I cleared my schedule to analyze some malware, and it turns out that it took me about 5 minutes to analyze the sames and find out that they were nothing more than adware downloaders.

But then, something like Virut comes along. Virut is sort of different than what I’ve spent much of this past year looking at: it actually infects EXE and SCR files, in addition to having a network component. This year alone we’ve tracked about 500 different samples, most of which are just polymorphic variants of a handful of main codebases. Virut appears to achieve its polymorphism through a special packer (similar to, but still different from an old-school polymorphic engine), which makes static detection useless. However, it has some common behaviors, including website contacts and IRC servers, as well as a backdoor. Virut is actually fun to analyze, because it’s not so trivial.

I enjoy malware analysis sometimes because you try and infer the author’s intentions. Sometimes they’re pretty obvious, and sometime they’re blatant. With Virut, however, it’s been difficult to infer the author’s intentions. It’s kind of hard to believe that someone just wants to build a small IRC botnet with backdoors and DDoS some Estonian websites. Could be that simple, however.

It’s been interesting to see this malware slip below the radar, beaten out by things like Stration/Warezov and various bots.

Some additional, external analysis of Virut from various AV vendors:

• Symantec – W32.Virut.A
• Sophos – W32/Virut-A
• CA – Win32/Virut.5127
• Fortinet – W32/Virut.B

Popularity: 5% [?]

This entry was posted on Friday, December 15th, 2006 at 12:50 pm and is filed under Arbor Networks - DDoS Experts, Backdoors, Malware, Reverse Engineering, Worms. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.