Anatomy of a new 64 bit file infector

Expiro file infector cover image

Hi all!

I am still alive 🙂 . I am proud to release here my last analysis about a multi-architecture file infector. It’s name is Expiro. This analysis is the first I made as an independent security researcher and it’s not related to any company. I hope that it can be useful for all others security researchers like me.

Here is the complete document:
www.andrea-allievi.com/files/Expiro_Analysis_2013.pdf

I have deep inspected Expiro dropper because I was very curious to deep understand what a new polymorphic file infector can do. By the way I have found a lot of weak point in its infection code…
Enjoy the analysis, and please let me know what do you think about it, feel free even to send me any comments and suggestions…

Related Posts

4 thoughts on “Anatomy of a new 64 bit file infector

  1. Can you go a little deeper into detail on how you analyzed its unpacking phase? I’m trying to get a better handle on how these are carried out myself but i always seem to miss the entry point or what is happening in memory.

    Thanks!

  2. Hi MythicalWalrus!
    Sorry for the delay… I was very busy last days….

    By the way the unpacking phase is very simple. You have to reverse the entry point code of an infected file. You will find an instruction like: ” mov [ebp-30h], 0D93C7222h (or something else)”. Then, after a bunch of opcodes, you will find: “mov ecx, 6 – mov edx, 0AAAAAAABh – mul edx – shr edx, 2 – mov [ebp-7Ch], edx – mov edi, edx – add edi, [ebp-30h]” The variable at [EBP-30h] contains the XOR key. You have to take the LSB (Less significant byte) of the DWORD key, add 1 and you have the decryption byte. As you can see, the algorithm is very simple!

    Basically it is obfuscated because the cycle is repeated 7 times: 6 times with the original LSB of XOR DWORD, which yield the starting results. Instead the last time it is executed with the same LSB of XOR DWORD key, but increased by 1.

    Hope that this will help you…
    Andrea

    @NewWorld
    Yes, this article is intended for all security specialist. Of course if you are a developer you can read it and understand only the basics… Hope that you have enjoyed it! 🙂 😉 If you have any question just mail me at aall86@gmail.com OR info@andrea-allievi.com

  3. I really like your blog.. very nice colors & theme.
    Did you make this website yourself or did you hire someone to do it for you?

    Plz answer back as I’m looking to create my own blog and would
    like to know where u got this from. kudos

Leave a Reply

Your email address will not be published. Required fields are marked *