Sunday, July 8, 2012

Dumping Polymorphic Malware in seconds!

Nowadays Polymorphic Malware is created to try to bypass AV detection, but there are ways to easily dump the malicious binary from memory and then focus the reversing efforts in the decoded binary. Win APIs like VirtualProtect and Hardware Breakpoints can help as shown below:                                                                                                                                                                                    


  1. As someone already mentioned on reddit, are there any chances that you will share the file itself? Thanks!

  2. Sorry for the delay response, definitely I can share the malicious binary, I uploaded to Offensive Computing but not able to retrieve it, waiting for feedback from Danny Quist. If you have another site where I can upload the binary, please let me know so that you can replicate my video.

  3. Finally and thanks to Danny Quist you can download the Malware sample to reproduce the video at:

    Not sure if you need an account. I prompted for password when unzipping it is "infected". Enjoy it and share new findings!!!!!

  4. Hi, Thanks for the tutorial. I am trying to decrypt another polymorphic malware, Bolzano. Following are details of it from offensive computing.

    MD5: 6eb5fdc7a80cb6b551b7aee3242ea9e4
    SHA1: 8f9a97ef3388bc21367f245715d1e930c7dd81c0
    SHA256: 0613e465dc0473c210c6e905ce938eaf6adcea800b116d0651f22c782ffb1cdb
    OCID: 1663401483
    Original Filename: Virus.Win32.Bolzano.3628

    I put break point on virtual protect, but virus code is not coming there. However when I execute virus code in Ollydbg my memory dump is getting changed. But I am not sure how to get decrypted virus out of it and also its corresponding encrypted version.


  5. Related to Bolzano, I have not played with it yet but VirtualProtect is not the only way to dump malware, actually, there are dozens of ways to do it. What I suggest is to set a br on VirtualAlloc and watch for the data dumped into those new allocated areas until you see the binary loaded. But as I said, there are different ways to do this, all depends on the way the malware was built. Good luck.


Note: Only a member of this blog may post a comment.