Analysing the packer layers of rogue anti-virus programs

Rachit Mathur McAfee
Zheng Zhang McAfee

  download slides (PDF)

It is well known that fake AV programs have become a real problem to deal with. The major problem for static signature scanners has been their ever-changing layers of decryptors. This paper will focus on the code analysis of the decryptor layers of such programs. We will take a comprehensive look at how the malware family evolved over the past years and the anti-RE tricks they employ to continually evade detection.

This paper will also highlight what is so different about these programs that we do not see in other morphing malware families, which, by any means, are not trivial either. In addition to syntactic code mutations, fake AV programs also continuously introduce different techniques to thwart analysis in each generation, such as direct access to undocumented memory structures (e.g. KUSER_SHARED_DATA and AnsiCodePageData), exception context modifications, non-trivial long loops, usage of privileged instructions etc.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.