It seems that quite a bit of malware is being classified as Vundo (Virtumonde) these days. With the volume of malware currently being distributed in dynamic link library form, it is not always easy to differentiate one from another. Frequently these modules are statically linked with C and C++ runtimes, compression, and GUI libraries, which can slow analysis down. In addition to all this embedded library code, Vundo’s code seems to be under constant development and is updated to fix bugs, add a new piece of functionality, or add more randomization to prevent signature recognition quite frequently.

However, there is one construct that the developers behind the code seem to enjoy using. In almost every place where an event and sometimes registry value names are created, the name is generated by a function which is similar between variants.

The function derives this name from an attribute of the infected computer. The attribute is the serial number assigned to the “C:” drive volume when it was last formatted by the operating system. Then, the serial number is randomized by one or more bitwise cpu instructions against a number selected by the programmer. The result of these operations is converted into a string and returned for use.

The recognition of this function can help positively ID a Vundo sample. The source code representation of this function would look similar to this:

#include <windows.h>#define arbitrary_vundo_number 0xFDEC

int generate_number(char *output){    int return_value;    DWORD volume_serial_number;

    return_value = GetVolumeInformation("c:\\", NULL, 0,        &volume_serial_number, NULL, NULL, NULL, 0);

    volume_serial_number ^= arbitrary_vundo_number;

    return wsprintf(output, "%08x", volume_serial_number);}

Actual Vundo assembly code looks like this:

push    esi             ; nFileSystemNameSizepush    esi             ; lpFileSystemNameBufferpush    esi             ; lpFileSystemFlagspush    esi             ; lpMaximumComponentLengthlea     eax, [ebp+VolumeSerialNumber]push    eax             ; lpVolumeSerialNumberpush    esi             ; nVolumeNameSizepush    esi             ; lpVolumeNameBufferpush    offset RootPathName ; "c:\\"mov     [ebp+VolumeSerialNumber], 123hcall    ds:GetVolumeInformationAxor     [ebp+VolumeSerialNumber], 34D2121hpush    [ebp+VolumeSerialNumber]push    offset a08x     ; "%08x"push    [ebp+arg_0]     ; LPSTRcall    ds:wsprintfAadd     esp, 0Chpop     esileaveretn

This entry was posted on Tuesday, June 17th, 2008 at 1:26 pm and is filed under Adware, Obfuscation, Reversing, Undetected malware, Vundo. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.