Malware Manipulates Procedure Prologue and Epilogue to Evade SecurityTechniques used by malware developers to evade detection by security software have changed drastically in recent years. Encryption, packers, wrappers, and other methods were effective for various lengths of time. But eventually antimalware programs gained detection techniques to combat these steps.
Malware authors next started frequently changing code and other data; now malware binaries are modified multiple times per day to evade detection. We have discussed some of the most common methods of modifications in previous blogs. Today we’ll talk about the opcode modification of procedure prologue and epilogue sequences. The modification is used by some fake-alert malware.
Modifying Opcode The opcode modification technique replaces the standard opcodes generated by a compiler with different opcodes–and without changing the outcome of the code.
Prologue and EpilogueThe procedure prologue and epilogue are standard initialization sequences that compilers generate for almost all of their functions. The particulars of these sequences depend on the specific compiler used and on the calling conventions. Most functions start with a prologue that sets up a stack frame for the function and ends with an epilogue that clears the stack frame.
Here’s a typical 32-bit Intel architecture assembly-language function prologue:
PUSH EBP —> Save Base Pointer
MOV EBP,ESP —> EBP becomes the temporary stack pointer
And here’s a typical epilogue:
POP EBP —> Recover Base pointer
RET —> Return from the function
Next we see a typical and a modified prologue:
Figure 1.1: A typical procedure prologue.Figure 1.2: A modified procedure prologue.Now let’s look at an example of a typical and a modified epilogue:
Figure 2.1: A typical procedure epilogueFigure 2.2: A modified procedure epilogue.Figure 2.3: Another modified procedure epilogue.The preceding screenshots show standard opcodes generated by the compiler and the modified ones used by fake-alert malware to evade code-based detection. McAfee has complete coverage and detects all variants that use this technique.
Original article: Tuesday, July 16, 2013 at 5:02pm by Arvind Gowda