It is pretty usual when you try to analyze some malware that does not run in virtual machine or emulator. Using usually very well known tricks it can prevent itself from being analyzed. But what if it does not run even on real computer? The following sample, part of the zbot family, uses volume CLSID comparison as a security check to prevent it being easily analyzed.
When we tried to run this sample on a real machine to get under the hood very quickly, nothing happened. So we started regular analysis and figured out that before any malicious action is taken, the malware loads twice encrypted data from the overlay and after decryption it compares specific bytes with other data obtained from the local machine.
Looking at the comparison data you can recognize CLSID. So we used the first one obtained from the Windows api call to find out that it is CLSID of a local drive.
If both CLSIDs are equal, the sample will start. Because the CLSID of the drive is hardcoded in the overlay and compared every time the sample is started, there must have been some previous action to obtain that particular CLSID before it was written in the overlay. It could be done during the first sample initialization and its further modification (because there is no such code in this sample) or during communication between the infected station and the C&C server before the sample was delivered to the station or any other scenario.
The file is detected by AVG as Trojan horse Generic31.ASUA.
MD5 hash: a2a6fb6d26f3d70da25dbcaac05fc894
Michal Cebak
Leave a reply
