Rachit Mathur McAfee
Zheng Zhang McAfee
download slides (PDF)
It is well known that fake AV programs have become a real problem to deal with. The major problem for static signature scanners has been their ever-changing layers of decryptors. This paper will focus on the code analysis of the decryptor layers of such programs. We will take a comprehensive look at how the malware family evolved over the past years and the anti-RE tricks they employ to continually evade detection.
This paper will also highlight what is so different about these programs that we do not see in other morphing malware families, which, by any means, are not trivial either. In addition to syntactic code mutations, fake AV programs also continuously introduce different techniques to thwart analysis in each generation, such as direct access to undocumented memory structures (e.g. KUSER_SHARED_DATA and AnsiCodePageData), exception context modifications, non-trivial long loops, usage of privileged instructions etc.