Sometimes malware really doesn’t want to be analyzed by researchers and analysts, and refuses to run in a testing environment or when being debugged. Today, we will look into one sample which does even more and completely changes its behavior when being analyzed. Actually, it pretends to be just ordinary backdoor probably to discourage malware analysts from digging deeper and revealing its real behavior (and possibly track/shut down its servers).
Let’s look at some of its tricks and code flow:
1) Actual sample was delivered through SPAM pretending to be a Groupon gift certificate. Of course there was an EXE file attached with Adobe PDF icon instead of the certificate attached.
Adobe PDF icon tries to trick a user
Our sample is written in DELPHI and contains another small (16kB) encrypted PE EXE file. After a few decryption loops the embedded file is executed in a separate process.
2) The new process then loops through all running processes and checks their names against its own blacklist. Actually, hashes calculated from names and not names directly are compared to obfuscate the behavior little bit. If a match is found then the process pretends to be just ordinary backdoor and refuse to run its “real” code. As an example, we can name “vmwareservice.exe”, “vmwareuser.exe” and “wireshark.exe” among blacklisted processes to show that malware really does not want to run in the virtual machine or be analyzed.
Process name hash comparison
3) Then the malware checks whether the time (number of CPU cycles) elapsed between two executed code instructions is appropriate. If it is unusually long, then the process is probably being debugged and the malware changes its behavior again.
4) In common virtual environments, disk controllers are usually specifically identified. For example “IDE\DiskVmware….” stands for VMWARE disk controller.
This malware sample also checks 4 significant characters of this name and compares it with its own list. However, the malware writer made a small mistake here and thus VMWARE disk controller remains undetected in this step. VMWARE starts with “V” and not with “W”
5) Finally, if all checks are passed then the malware spawns the wuauclt.exe process (legitimate Windows Update process) and injects malicious code to its address space. This code is then used to contact control server and requests download link to another malware that will be downloaded and executed on victim’s machine.
Lessons learned: Don’t believe any gorgeous email-message claiming you won some glorious price or you’ve got something for free especially when there is an executable file attached with well-known tricky icon.
This malware is detected by the latest version of AVG as Trojan horse Downloader.Delf variant.
AVG Viruslab Research Group