Mayachok Hooks INT8 to Dodge Emulators

Răzvan STOICA

February 06, 2013

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Mayachok Hooks INT8 to Dodge Emulators

Many new  variants of the same bootkits are created simply to avoid detection.  Bitdefender anti-malware researchers Cristian Istrate and Marius Tivadar have created a small write-up on the evolution and current status of the Mayachok bootkit:

The first version started with its malicious code placed directly in the 15 sectors following the Boot Sector (variant 1 in fig). The second version had its code encrypted and started with a small polymorphic decryption loop (variant 2 in fig). This was done in order to bypass static signature detection. But this version could be generically detected using emulation as there were common blocks of code after decryption.

The third version tries to avoid emulation detection also by placing its decryption code in a hook for interrupt 8 (variant 3 in fig).

On a typical system, INT 8 is generated by the Programmable Interrupt Timer at about 18.2 times/second and on every tick a dword at address 0040:006Ch will be incremented. The new version of Mayachok starts by placing the decryption hook at INT 8 and initializing the counter at 0040:006Ch.

 

Then it will wait in a loop until its code is decrypted. In the hook the counter is used as a key for decryption.

If the emulator does not generate INT 8, the malicious code loops indefinitely.

tags


Author


Răzvan STOICA

Razvan Stoica is a journalist turned teacher turned publicist and technology evangelist. Recruited by Bitdefender in 2004 to add zest to the company's online presence.

View all posts

You might also like

Bookmarks


loader