LAST-MINUTE PAPER: Cracking Xpaj; code and payload

Andrea Lelli Symantec

  download slides (PDF)

W32.Xpaj.B has multiple complex elements - far more than any other file infector. It has two strong layers of protection. These are code encryption and obfuscation. Encryption is achieved using a complex virtual machine. The worm core itself is then heavily obfuscated, making analysis difficult. When the obfuscation is finally bypassed, the infection routine is not trivial. The worm is capable of infecting both user-mode and kernel-mode components. Commands are received from C&C servers in encrypted blobs.

All of these code components have been analysed and are fully described. Access to the C&C servers was obtained and the payload also investigated. The payload is a click-fraud scam which is documented, including graphs showing earnings over time and received traffic.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.