Today I saw the usage of MMX instructions in the decryption routine of a self modifying code as shown below:
MOV EDI,DWORD PTR SS:[ESP]
MOV ESI,6581DBCA
MOV EAX,704
MOV ECX,DDDDFDDD ; set ECX to a large value
IMUL EBX,EBX,21
XOR EDX,EDX
TEST EBX,EBX
ADD EBX,3
SUB EBX,1
MOV EBX,1 ; junk instructions
LOOPDNE SHORT 0014DB72 ; loop used to introduce delay in execution
SUB EAX,4
MOVD MM0,DWORD PTR DS:[EDI] ; usage of MMX registers
MOVD MM1,ESI
PXOR MM0,MM1 ; MMX XOR instruction used
MOVD DWORD PTR DS:[EDI],MM0
ADD EDI,4
TEST EAX,EAX
JNZ SHORT 0014DB86
RETN
The reason for using MMX XOR instructions instead of the general x86 XOR instructions might be to bypass code emulation. It is a known method to make use of undocumented instructions in the code to defeat the code emulators. I am not sure if the MMX instructions are implemented in the code emulators.
In the self modified code, it uses common anti debugging tricks by checking the BeingDebugged and NtGlobalFlags fields in PEB.
After this, it executes the CPUID instruction with eax set to 1 (CPUID_GETFEATURES) and checks the value of the bit, CPUID_FEAT_EDX_MMX. This check is done to see if the CPU supports MMX instructions.
Below is another code section where it is using MMX registers in a delay execution routine:
MOV ECX,0D55ABBF ; set ECX to a large value
NOP
XOR EAX,EAX
XOR EDX,EDX
RDTSC
NOP
MOVD MM1,EAX
MOVD MM0,EDX
LOOPD SHORT 0014D4ED
CMP ECX,0
JNZ 0014DB53
EMMS
JMP 0014D9BA
It is good to the see usage of MMX instructions in a malware. We will most likely see the usage of more FPU/MMX instructions in the malwares.
Since most security vendors these days make use of a sandbox to run the malware, such instructions can be used to defeat the emulators.
c0d3inj3cT
MOV EDI,DWORD PTR SS:[ESP]
MOV ESI,6581DBCA
MOV EAX,704
MOV ECX,DDDDFDDD ; set ECX to a large value
IMUL EBX,EBX,21
XOR EDX,EDX
TEST EBX,EBX
ADD EBX,3
SUB EBX,1
MOV EBX,1 ; junk instructions
LOOPDNE SHORT 0014DB72 ; loop used to introduce delay in execution
SUB EAX,4
MOVD MM0,DWORD PTR DS:[EDI] ; usage of MMX registers
MOVD MM1,ESI
PXOR MM0,MM1 ; MMX XOR instruction used
MOVD DWORD PTR DS:[EDI],MM0
ADD EDI,4
TEST EAX,EAX
JNZ SHORT 0014DB86
RETN
The reason for using MMX XOR instructions instead of the general x86 XOR instructions might be to bypass code emulation. It is a known method to make use of undocumented instructions in the code to defeat the code emulators. I am not sure if the MMX instructions are implemented in the code emulators.
In the self modified code, it uses common anti debugging tricks by checking the BeingDebugged and NtGlobalFlags fields in PEB.
After this, it executes the CPUID instruction with eax set to 1 (CPUID_GETFEATURES) and checks the value of the bit, CPUID_FEAT_EDX_MMX. This check is done to see if the CPU supports MMX instructions.
Below is another code section where it is using MMX registers in a delay execution routine:
MOV ECX,0D55ABBF ; set ECX to a large value
NOP
XOR EAX,EAX
XOR EDX,EDX
RDTSC
NOP
MOVD MM1,EAX
MOVD MM0,EDX
LOOPD SHORT 0014D4ED
CMP ECX,0
JNZ 0014DB53
EMMS
JMP 0014D9BA
It is good to the see usage of MMX instructions in a malware. We will most likely see the usage of more FPU/MMX instructions in the malwares.
Since most security vendors these days make use of a sandbox to run the malware, such instructions can be used to defeat the emulators.
c0d3inj3cT
0 comments: