Malware is in the air

The more malware I analyze, the more I think that 'the bad guys' do not worry about the work they are doing. In fact, it is something strange, and I cannot understand. Some of the samples show that they have some in-depth knowledge in some areas (windows processes, registry, hiding, etc) but at the same time, they use simple and well known packers (like UPX) or they do not even use any packer at all.

If I were a 'bad guy', and if I have spent some amount of dollars paying a programming expert for developing a complex trojan, I would care myself and I would use some housemade packer in order to complicate its analysis. I'm tired of seeing anti-debugging code (SIDT, INT 3, threads, SEH, ...) that rules, but using UPX sucks. At least if you change some UPX headers (for instance the segment name) you cannot run the UPX normal binary in order to unpack the malware.

The same applies for the encryption method used. I would say that perhaps 75% of the malware if they encrypt something they use a XOR encryption. I know that it is easy to implement, but come on, the public key cryptography is something that we (should) daily use.

In summary, let's have a happy new year 2007 and check out the Mark Russinovich video about detecting malware before the end of the year!!