Author Topic: W32/Xpaj – Know Your Polymorphic Enemy  (Read 2772 times)

0 Members and 1 Guest are viewing this topic.

September 22, 2009, 08:24:06 am
Read 2772 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
http://www.avertlabs.com/research/blog/index.php/2009/09/21/w32xpaj-know-your-polymorphic-enemy/

Quote
Nowadays, most anti-virus products can deal with viruses relatively easily using a variety of technology. Decent emulator-based scan engines can handle a majority of polymorphic and metamorphic viruses, including those that use the entry-point obscuring technique (EPO). But when it comes to viruses with delay load and random code blocks insertion such as W32/Zmist (aka Mistfall) – code emulators are not the best approach to consider. We came across a new W32/Xpaj variant  which is actively spreading recently. It utilizes well known techniques to evade detection, but are otherwise, seldom found in live virus analysis.
Ruining the bad guy's day

October 02, 2009, 01:01:15 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Mal/Xpaj-B - how to avoid looking like a virus
http://www.sophos.com/blogs/sophoslabs/?p=6686

Quote
However, Xpaj-B has a major new feature in the form of multi-layer encryption. While Xpaj-A hid its strings and data with a rolling XOR key, Xpaj-B goes a few steps further: the whole of the virus body (including the already-encrypted data) has been put through another layer, its decryption is called by a Virtual Machine and the bytecode for that VM is stored (encrypted again) after the virus body.
Ruining the bad guy's day

October 02, 2009, 02:22:27 pm
Reply #2

RS-232

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 165
Only for the "fun" of it...rs-232 aka sowhat-x aka younameit ;-)
http://www.youtube.com/watch?v=fADjY97_KTw

October 06, 2009, 06:45:37 pm
Reply #3

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
W32/Xpaj Botnet Growing Rapidly
http://www.avertlabs.com/research/blog/index.php/2009/10/06/w32xpaj-botnet-growing-rapidly/


Quote
Further analysis has revealed some interesting details about the malicious behavior of W32/Xpaj. The Virus is building a widespread “zombie” network, by taking control thousands of Internet-connected computers. The new botnet is in its infancy, although thousands of machines have been infected during last two weeks. The botnet infects computers around the world and has spread across many countries. The attacks are mostly aimed at enterprises, but they have now spread to consumer machines as well. Based on multiple characteristics and our own research, the virus is most probably the work of eastern European cybercriminals.
Ruining the bad guy's day