Members
  • Total Members: 14176
  • Latest: toxxxa
Stats
  • Total Posts: 42866
  • Total Topics: 16075
  • Online Today: 1580
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)









Post reply

Name:
Email:
Subject:
Message icon:

Verification:
Type the letters shown in the picture
Listen to the letters / Request another image

Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

shortcuts: hit alt+s to submit/post or alt+p to preview


Topic Summary

Posted by: Pez
« on: 17. July 2013., 09:46:13 »

Malware Manipulates Procedure Prologue and Epilogue to Evade Security

Techniques used by malware developers to evade detection by security software have changed drastically in recent years. Encryption, packers, wrappers, and other methods were effective for various lengths of time. But eventually antimalware programs gained detection techniques to combat these steps.

Malware authors next started frequently changing code and other data; now malware binaries are modified multiple times per day to evade detection. We have discussed some of the most common methods of modifications in previous blogs. Today we’ll talk about the opcode modification of procedure prologue and epilogue sequences. The modification is used by some fake-alert malware.

Modifying Opcode

The opcode modification technique replaces the standard opcodes generated by a compiler with different opcodes–and without changing the outcome of the code.

Prologue and Epilogue

The procedure prologue and epilogue are standard initialization sequences that compilers generate for almost all of their functions. The particulars of these sequences depend on the specific compiler used and on the calling conventions. Most functions start with a prologue that sets up a stack frame for the function and ends with an epilogue that clears the stack frame.

Here’s a typical 32-bit Intel architecture assembly-language function prologue:

        PUSH EBP          —> Save Base Pointer

        MOV EBP,ESP     —> EBP becomes the temporary stack pointer

And here’s a typical epilogue:

        POP EBP            —> Recover Base pointer

        RET                   —> Return from the function

Next we see a typical and a modified prologue:



Figure 1.1: A typical procedure prologue.



Figure 1.2: A modified procedure prologue.

Now let’s look at an example of a typical and a modified epilogue:



Figure 2.1: A typical procedure epilogue



Figure 2.2: A modified procedure epilogue.



Figure 2.3: Another modified procedure epilogue.

The preceding screenshots show standard opcodes generated by the compiler and the modified ones used by fake-alert malware to evade code-based detection. McAfee has complete coverage and detects all variants that use this technique.


Original article: Tuesday, July 16, 2013 at 5:02pm by Arvind Gowda
Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising