Malware Domain List

Malware Related => Tools of the trade / Internet News => Topic started by: SysAdMini on September 22, 2009, 08:24:06 am

Title: W32/Xpaj – Know Your Polymorphic Enemy
Post by: SysAdMini on September 22, 2009, 08:24:06 am
http://www.avertlabs.com/research/blog/index.php/2009/09/21/w32xpaj-know-your-polymorphic-enemy/

Quote
Nowadays, most anti-virus products can deal with viruses relatively easily using a variety of technology. Decent emulator-based scan engines can handle a majority of polymorphic and metamorphic viruses, including those that use the entry-point obscuring technique (EPO). But when it comes to viruses with delay load and random code blocks insertion such as W32/Zmist (aka Mistfall) – code emulators are not the best approach to consider. We came across a new W32/Xpaj variant  which is actively spreading recently. It utilizes well known techniques to evade detection, but are otherwise, seldom found in live virus analysis.
Title: Re: W32/Xpaj – Know Your Polymorphic Enemy
Post by: SysAdMini on October 02, 2009, 01:01:15 pm
Mal/Xpaj-B - how to avoid looking like a virus
http://www.sophos.com/blogs/sophoslabs/?p=6686

Quote
However, Xpaj-B has a major new feature in the form of multi-layer encryption. While Xpaj-A hid its strings and data with a rolling XOR key, Xpaj-B goes a few steps further: the whole of the virus body (including the already-encrypted data) has been put through another layer, its decryption is called by a Virtual Machine and the bytecode for that VM is stored (encrypted again) after the virus body.
Title: Re: W32/Xpaj – Know Your Polymorphic Enemy
Post by: RS-232 on October 02, 2009, 02:22:27 pm
W32.Xpaj.B – An Upper Crust File Infector
http://www.symantec.com/connect/blogs/w32xpajb-upper-crust-file-infector
Title: Re: W32/Xpaj – Know Your Polymorphic Enemy
Post by: SysAdMini on October 06, 2009, 06:45:37 pm
W32/Xpaj Botnet Growing Rapidly
http://www.avertlabs.com/research/blog/index.php/2009/10/06/w32xpaj-botnet-growing-rapidly/


Quote
Further analysis has revealed some interesting details about the malicious behavior of W32/Xpaj. The Virus is building a widespread “zombie” network, by taking control thousands of Internet-connected computers. The new botnet is in its infancy, although thousands of machines have been infected during last two weeks. The botnet infects computers around the world and has spread across many countries. The attacks are mostly aimed at enterprises, but they have now spread to consumer machines as well. Based on multiple characteristics and our own research, the virus is most probably the work of eastern European cybercriminals.