On Wed, 18 Feb 2015 14:16:02 -0500
Joe Quinn <jqu...@pccc.com> wrote:
> On 2/18/2015 2:10 PM, Reindl Harald wrote:
> > the source contains at least socket:// and heavy pulsating disk-IO
> > noticed from the RAID10 as long the process was active - will give
> > it a try in a isolated VM to look what it does the next spare time
> Or if there was an SA-style classifier for malware that scores files
> in addition to "this is a keylogger".
A lot of the samples we see heavily obfuscate the VB code. Example:
Sub h()
ds = 99 + Sgn(98) + Sgn(902) + Sgn(-5)
USER = Module1.Travel("username")
jks = ds
PST2 = "" + "" & "" & "a" + "do" & "be" & "ac" & "d-u" & "pd" & "a" & "te"
& ""
VBT2 = "" & "a" + Chr(100) + "o" & "b" & "ea" & "cd-up" & "da" & "te" & ""
VBTXP2 = "" & "a" & Chr(100) & "o" & "be" + "ac" & "d-u" + "pd" + "atex" +
"p" & ""
BART2 = "" & "a" + Chr(100) & "o" & "b" & "e" + "ac" & "d-up" + "date" & ""
PST1 = PST2 + "." + Chr(Asc("p")) + Chr(ds + 15) + "1" + ""
VBT1 = VBT2 + "." + Chr(118) + "b" + Chr(Asc("s")) + ""
VBTXP = VBTXP2 + "." + Chr(Asc("v")) + Chr(Asc("b")) + "s" + ""
... more of the same
This makes a simple-minded "strings" inadequate. :( I've also seen
highly-obfuscated Javascript code that builds up strings and then evaluates
them as Javascript.
Regards,
David.
