The Latest in IT Security

Mayachok Hooks INT8 to Dodge Emulators

06
Feb
2013

Many new variants of the same bootkits are created simply to avoid detection. Bitdefender anti-malware researchers Cristian Istrate and Marius Tivadar have created a small write-up on the evolution and current status of the Mayachok bootkit:

The first version started with its malicious code placed directly in the 15 sectors following the Boot Sector (variant 1 in fig). The second version had its code encrypted and started with a small polymorphic decryption loop (variant 2 in fig). This was done in order to bypass static signature detection. But this version could be generically detected using emulation as there were common blocks of code after decryption.

The third version tries to avoid emulation detection also by placing its decryption code in a hook for interrupt 8 (variant 3 in fig).

On a typical system, INT 8 is generated by the Programmable Interrupt Timer at about 18.2 times/second and on every tick a dword at address 0040:006Ch will be incremented. The new version of Mayachok starts by placing the decryption hook at INT 8 and initializing the counter at 0040:006Ch.

Then it will wait in a loop until its code is decrypted. In the hook the counter is used as a key for decryption.

If the emulator does not generate INT 8, the malicious code loops indefinitely.

Leave a reply


Categories

SATURDAY, SEPTEMBER 26, 2020
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments