With the growth in adoption of 64-bit architectures and associated operating systems, we're seeing the usual malicious suspects following the trend. We have seen variants of several families, including Alureon, Koobface, Sirefef and Ursnif targeting this platform. These families adopt various techniques to prevent their detection and removal, one of which is obfuscation.

Let's take a look at Ursnif, a family of malware which has been active as far back as 2006. The malware usually comes in the form of an executable which contains 2 DLL files stored as resources, one for 32 bit machines and one the for 64 bit. It loads the appropriate DLL depending on the architecture of the infected machine.

The 64 bit version uses a similar type of obfuscation as the 32 bit version - there is the primary first layer which decrypts a second layer of obfuscated code. The second layer in turn decrypts and decompresses the malware binary.


The following is a code snippet of the first layer decrypter, which is quite straightforward, and decrypted a DWORD at a time:

obfus1_layer1.png


The second layer decrypter has the same type of decryption but is a little different in that it attempts to brute force the decryption key by trying various pseudo-random values first. Below is a code snippet from the second layer decryption:

obfus1_layer2.png

The obfuscator also contains code from a publicly available compression library known as APLIB to reduce the size of the malware binary.


In the last week we have noticed Ursnif binaries using a different obfuscator, which makes use of anti-emulation techniques to thwart detection. An example of this technique which has seen extensive use in malware is to perform an API call and check results against known behaviour.

The obfuscator calls two API's from the "ndtll.dll" system library. The first is "NtContinue":

obfus2_api1.png


followed by "NtCreatePagingFile":


obfus2_api2.png


The return value from both functions are subtracted from each other and compared with a preset. If the result is not expected then the malware does not continue to execute.

These types of techniques are not new, several obfuscators have used multiple layers of encryption and compression as well as a variety anti-emulation techniques on 32-bit platforms. But an increased use in 64-bit code by malware means having to ensure proper support of the architecture in order to combat them.

Ray Roberts
MMPC Melbourne