While investigating some new malware samples this week, we came across a few interesting files that use a new trick with an undocumented instruction. We had to do a bit of digging around the Intel instructions list to solve this little mystery. While it turned out that the trick itself isn't effective in complicating debugging and disassembly, we think it's worth sharing anyway, as we're now seeing three different malware variants using it.

One of the samples flagged by our systems (SHA1:3d85cc93115c1ebfdeba17b54d6570e06c1bb2f5) looked nothing out of the ordinary in the beginning. It has the usual custom packer to deter analysis and detection, and is malformed to confuse various tools:

DESCRIPTION

DESCRIPTION

The really interesting part though is immediately at the entry point:

DESCRIPTION

According to Intel manuals, the instructions highlighted are invalid instructions, which would make the application crash if executed. This actually contradicts our experience – in our systems, the file ran in a virtual machine. Because of this, we decided that we should dig deeper and check to see where the problem resides.

We tried to see if other tools that we commonly use correctly interpreted and disassembled the instructions:

DESCRIPTION

DESCRIPTION

DESCRIPTION

All tools gave different results for the same instructions. At this point, we suspected that we were dealing with an undocumented instruction in which the tools weren't aware.

To continue investigation, we chose to use a disassembler library from Intel, which gave us the following disassembly:

DESCRIPTION

Searching for these instructions revealed that they are undocumented FPU instructions, leading to incorrect disassembly in different reversing tools.

Because this had piqued our curiosity, we asked ourselves who employs this trick and when did it first appear in the wild.

The first sample we noticed using this trick reached our systems on January 10, 2013, from a VirusTotal submission. The sample (SHA1: 7403f5e5a88b26001295fd201d490fbb4854e061) is detected as Backdoor:Win32/Farfli.AV. This sample was not packed or protected in any way and was only using this instruction trick.

Since January we have also seen the Trojan:Win32/Danglo family and Backdoor:Win32/Zegost.B using this trick.

Searching the underground forums for mentions of this trick didn't yield any results. The number of families using this technique is relatively small so it raises some interesting questions: are these families related? How are the authors, if they're different people, sharing information?

One thing is for sure, malware authors continue to struggle in their attempts to evade detection.

Daniel Radu
MMPC Munich