Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul    
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
    31  
  • About Us

    Sep27
    11:18 am (UTC-7)   |    by


    You must have heard that there are a number of new variants of the long lived WORM_BAGLE. Well, that’s because of UPolyX.

    UPolyX is not new, in fact its first version UPolyX v0.1 has been around since 2004. By searching through the net, it has four (4) versions in existence.

    UPolyX is basically a scrambler. It specifically needs a UPX packed input file to produce an output file. Through its polymorphic decrypter engine, it can produce a number of different output files even on one input file. That’s why we are receiving a number of WORM_BAGLE variants from time to time.

    The latest version of the scrambler which is, UPolyX v0.5, has added some permutation module to further improve its polymorphism.

    The scrambler also implements an Executable Trash Generator or ETG that places trash (dummy instructions) in between the polymorphic decryptor and the code itself. ETG can be configured to control the number of bytes of trash to generate. ETG 1.00 is the only version known in the public and has been around since March 2000.

    From the characteristics mentioned above, it seems like the authors primary purpose is to defeat the decryptor emulation techniques of various Anti-Virus engines.

    Using this technology of the UPolyX, a detected malware can still be relived and get into the wild again.

    So far as what I have noticed, the type of samples that we received are based on this principle:

    Detected Malware + UPX + UPolyX (polymorphic decrypter + Executable Trash Generator) = New Undetected Malware


    What if some worm authors decided to embed UPolyX’s technology? Hmm.. oh well, we might have a hard time to tell which variant of the worm is in the wild!
    But, that’s just one of the possibilities, some may come along the way and that’s another story.:=)





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice