Want to get paid for a vulnerability similar to this one?
Contact us at: email@example.com
Websense has posted a nice malware analysis showing how easy security software can be bypassed by malicious software.
Before performing it’s primary objective, this malware first disarms any antivirus or firewall it can:
The file is packed with a custom packer/protector, which we had never encountered before. Here is a brief description of the packer and what it does to prevent analysis.
The protected application doesn’t run in a Virtual Machine (default configuration). Once this problem is fixed, it generates 1372 (!) exceptions in the loader to thwart debuggers, tracers, emulators, and so forth.
There is a CRC to prevent patching of the protection code; therefore, the protector will never call the original entry point if the code has been patched, or if a software breakpoint is found in the routine.
One of the first things the malware does is to scan for security applications in memory. It uses a few different techniques, including looking for Windows Name, Process Name
It kills several antivirus products, if they are found in memory, as well as some firewall products.
Lowers the computer sound volume, in order to prevent the users from hearing a warning sound generated by antivirus programs.
Full analysis is here.