Analysing the packer layers of rogue anti-virus programs presented at Virus Bulletin 2011

by Rachit Mathur (McAfee),


Summary : It is well known that fake AV programs have become a real problem to deal with. The major problem for static signature
scanners has been their ever-changing layers of decryptors. This paper will focus on the code analysis of the decryptor
layers of such programs. We will take a comprehensive look at how the malware family evolved over the past years and the
anti-RE tricks they employ to continually evade detection.
This paper will also highlight what is so different about these programs that we do not see in other morphing malware
families, which, by any means, are not trivial either. In addition to syntactic code mutations, fake AV programs also
continuously introduce different techniques to thwart analysis in each generation, such as direct access to undocumented
memory structures (e.g. KUSER_SHARED_DATA and AnsiCodePageData), exception context modifications, non-trivial long loops,
usage of privileged instructions etc.