CoDisasm Medium Scale Concatic Disassembly of Self- Modifying Binaries with Overlapping Instructions
!
Jean-Yves Marion Professor at l’Université de Lorraine Institut Universitaire de France ! !
! ! ! NOTE!DE!DESCRIPTION!DE!LA!PROCEDURE!DE!CREATION!! D’UNE!EQUIPE1PROJET!COMMUNE!ENTRE!INRIA!! ET!UN!OU!PLUSIEURS!PARTENAIRES!ACADEMIQUES! AU!SEIN!D’UNE!UMR! ! Septembre!2011! ! Préambule! Le#CNRS#et#Inria#ont#signé#le#15#avril#2011#un#accord#cadre#visant#à#développer#leur# coopération# dans# le# domaine# des# sciences# et# technologies# du# numérique,# et# ainsi# renforcer#le#dispositif#mis#en#place#avec#la#création#de#l’alliance#Allistene.#Cet#accord# cadre#complète#les#modalités#de#coopération#entre#Inria,#le#CNRS,#et#les#universités# telles# que# notamment# exprimées# dans# l’accord# cadre# Inria# –# CPU# en# date# du#17# décembre#2009#et#dans#l’accord#cadre#CNRS#–#CPU#en#date#du#4#novembre#2010.## Cet# accord# cadre# précise# notamment# l’articulation# entre# le# mode# d’organisation# d’Inria# en# équipesNprojets# et# celui# du# CNRS# en# unités# de# recherche# (unités# le# plus# souvent#mixtes#avec#des#établissements#d’enseignement#supérieur).# Une#équipeNprojet#commune#(EPC,#aussi#appelée#équipe#mixte#de#recherche#selon#la# nomenclature# adoptée# par# les# universités)# est# une# équipe# de# personnes# ayant# des# objectifs# scientifiques# et# un# programme# de# recherche# clairement# définis,# sur# une# thématique#focalisée#et#une#durée#fixée.#Une#équipeNprojet#est#animée#par#un#leader# scientifique# qui# a# la# responsabilité# de# coordonner# les# travaux# de# l’ensemble# de# l’équipe.## ! Objet! Cette#note#décrit#le#processus#convenu#entre#le#CNRS#et#Inria#lors#de#la#création#d’une# équipeNprojet# au# sein# d’une# UMR.1# Elle# sera# instanciée# localement# avec# les# universités# et# écoles# concernées,# notamment# pour# prendre# en# compte# les# accords# existants#(par#exemple#dans#le#cas#de#convention#d’UMR#dont#Inria#est#coNtutelle#ou# partenaire).# ! Diffusion! Etablissements#coNtutelles#des#UMR,#directions#des#UMR#et#des#centres#Inria.#
1 Pour simplifier, cette note ne traite que le cas le plus fréquent de création d’une EPC entièrement incluse au sein d’une UMR. Les cas concernant des EPC « à cheval » sur deux UMR, ou non strictement incluses dans une seule UMR, ou encore faisant intervenir d’autres établissements en sus des établissements co-tutelles/partenaires de l’UMR seront traités de façon similaire, mutatis mutandis.
This is a joint works with
Guillaume Bonfante José Fernandez Benjamin Rouxel
Aurélien Thierry Fabrice Sabatier
Jean-Yves Marion Problem What really makes this program?
Input: an x86 obfuscated binary code
What Happen After You Hit Return ?
Jean-Yves Marion Towards a high level semantics
0000000100000e80 push rbp ! 0000000100000e81 mov rbp, rsp! 0000000100000e84 mov qword [ss:rbp+var_8], rdi! 0000000100000e88 mov qword [ss:rbp+var_10], 0x0! Disassembly 0000000100000e90 mov qword [ss:rbp+var_18], 0x0! !0000000100000e98 mov qword [ss:rbp+var_18], 0x0! 0000000100000ea0 mov rax, qword [ss:rbp+var_18] ! 0000000100000ea4 cmp rax, qword [ss:rbp+var_8]! !0000000100000ea8 jge 0x100000f1a! 0000000100000eae mov rax, 0x2! 0000000100000eb8 mov rcx, qword [ss:rbp+var_18]! Memory or PE file 0000000100000ebc mov qword [ss:rbp+var_20], rax! 0000000100000ec0 mov rax, rcx! 0000000100000ec3 cqo ! E80 : 55 48 89 E5 48 89 7D F8 48 C7 45 F0 00 00 00 00 48 C7 45 E8 00 00 0000000100000ec5 mov rcx, qword [ss:rbp+var_20]! E90 : 00 00 48 C7 45 E8 00 00 00 00 48 8B 45 E8 48 3B 45 F8 0F 8D 6C 00 0000000100000ec9 idiv rcx! EA0 : 00 00 48 B8 02 00 00 00 00 00 00 00 48 8B 4D E8 48 89 45 E0 48 89 0000000100000ecc cmp rdx, 0x0! EB0 : C8 48 99 48 8B 4D E0 48 F7 F9 48 81 FA 00 00 00 00 0F 85 17 00 00 0000000100000ed3 jne 0x100000ef0! EC0 : 00 48 8B 45 F0 48 C1 E0 01 48 05 02 00 00 00 48 89 45 F0 E9 12 00 ED0 : 00 00 48 8B 45 F0 48 C1 E0 01 48 05 01 00 00 00 48 89 45 F0 E9 00 ! 0000000100000ed9 mov rax, qword [ss:rbp+var_10]! EE0 : 00 00 00 48 8B 45 E8 48 05 01 00 00 00 48 89 45 E8 E9 86 FF FF FF 0000000100000edd shl rax, 0x1! EF0 : 48 8B 45 F0 5D C3 0000000100000ee1 add rax, 0x2! 0000000100000ee7 mov qword [ss:rbp+var_10], rax! !0000000100000eeb jmp 0x100000f02! 0000000100000ef0 mov rax, qword [ss:rbp+var_10] ! 0000000100000ef4 shl rax, 0x1! 0000000100000ef8 add rax, 0x1! !0000000100000efe mov qword [ss:rbp+var_10], rax! !0000000100000f02 jmp 0x100000f07 ! 0000000100000f07 mov rax, qword [ss:rbp+var_18] ! 0000000100000f0b add rax, 0x1! 0000000100000f11 mov qword [ss:rbp+var_18], rax! !0000000100000f15 jmp 0x100000ea0! 0000000100000f1a mov rax, qword [ss:rbp+var_10] ! 0000000100000f1e pop rbp! 0000000100000f1f ret
Jean-Yves Marion Towards a high level semantics
0000000100000e80 push rbp ! _suite:0000000100000e81 mov rbp, rsp! push rbp mov 0000000100000e84 rbp, rsp mov qword [ss:rbp+var_8], rdi! mov 0000000100000e88 qword [ss:rbp+var_8], movrdi qword [ss:rbp+var_10], 0x0! mov qword [ss:rbp+var_10], 0x0 mov 0000000100000e90 qword [ss:rbp+var_18], mov 0x0 qword [ss:rbp+var_18], 0x0! mov !0000000100000e98 qword [ss:rbp+var_18], mov 0x0 qword [ss:rbp+var_18], 0x0! 0000000100000ea0 mov rax, qword [ss:rbp+var_18] ! 0000000100000ea4 cmp rax, qword [ss:rbp+var_8]! 0000000100000ea8 jge 0x100000f1a! 0x100000ea0: mov ! rax, qword [ss:rbp+var_18] cmp 0000000100000eae rax, qword [ss:rbp +var_8] mov rax, 0x2! jge 0x100000f1a 0000000100000eb8 mov rcx, qword [ss:rbp+var_18]! 0000000100000ebc mov qword [ss:rbp+var_20], rax! 0000000100000ec0 mov rax, rcx! 0000000100000ec3 cqo ! E80 : 55 48 89 E5 48 89 7D F8 48 C7 45 F0 00 00 00 00 48 C7 45 E8 00 00 0000000100000ec5 mov rcx, qword [ss:rbp+var_20]! E90 : 00 00 48 C7 45 E8 00 00 00 00 48 8B 45 E8 48 3B 45 F8 0F 8D 6C 00 0x100000eae: mov 0000000100000ec9 rax, 0x2 idiv rcx! EA0 : 00 00 48 B8 02 00 00 00 00 00 00 00 48 8B 4D E8 48 89 45 E0 48 89 mov 0000000100000ecc rcx, qword [ss:rbp +var_18] cmp rdx, 0x0! EB0 : C8 48 99 48 8B 4D E0 48 F7 F9 48 81 FA 00 00 00 00 0F 85 17 00 00 mov qword [ss:rbp+var_20], rax 0x100000f1a: mov 0000000100000ed3 rax, rcx jne 0x100000ef0mov ! rax, qword [ss:rbp+var_10] EC0 : 00 48 8B 45 F0 48 C1 E0 01 48 05 02 00 00 00 48 89 45 F0 E9 12 00 cqo pop rbp ED0 : 00 00 48 8B 45 F0 48 C1 E0 01 48 05 01 00 00 00 48 89 45 F0 E9 00 mov ! rcx, qword [ss:rbp+var_20] ret idiv 0000000100000ed9 rcx mov rax, qword [ss:rbp+var_10]! EE0 : 00 00 00 48 8B 45 E8 48 05 01 00 00 00 48 89 45 E8 E9 86 FF FF FF cmp rdx, 0x0 jne 0000000100000edd 0x100000ef0 shl rax, 0x1! EF0 : 48 8B 45 F0 5D C3 0000000100000ee1 add rax, 0x2! 0000000100000ee7 mov qword [ss:rbp+var_10], rax! !0000000100000eeb jmp 0x100000f02! 0x100000ed9:0000000100000ef0 mov rax,0x100000ef0: qword [ss:rbp+var_10] ! mov rax, qword [ss:rbp+var_10] mov rax, qword [ss:rbp+var_10] shl 0000000100000ef4 rax, 0x1 shl rax, 0x1shl ! rax, 0x1 add 0000000100000ef8 rax, 0x2 add rax, add0x1 ! rax, 0x1 mov qword [ss:rbp+var_10], rax mov qword [ss:rbp+var_10], rax jmp !0000000100000efe 0x100000f02 mov qword [ss:rbp+var_10], rax! !0000000100000f02 jmp 0x100000f07 ! 0000000100000f07 mov rax, qword [ss:rbp+var_18] ! 0x100000f02: 0000000100000f0bjmp 0x100000f07 add rax, 0x1! 0000000100000f11 mov qword [ss:rbp+var_18], rax! !0000000100000f15 jmp 0x100000ea0! 0000000100000f1a mov rax, qword [ss:rbp+var_10] ! 0x100000f07: 0000000100000f1e pop rbp! mov rax, qword [ss:rbp+var_18] Control Flow Graph add rax, 0x10000000100000f1f ret mov qword [ss:rbp+var_18], rax jmp 0x100000ea0
Jean-Yves Marion Towards a high level semantics
0000000100000e80 push rbp ! 0000000100000e81 mov rbp, rsp! _suite: push rbp 0000000100000e84 mov qword [ss:rbp+var_8], rdi! mov rbp, rsp 0000000100000e88 mov qword [ss:rbp+var_10], 0x0! mov qword [ss:rbp+var_8], rdi mov qword [ss:rbp+var_10], 0x0 0000000100000e90 mov qword [ss:rbp+var_18], 0x0! mov qword [ss:rbp+var_18], 0x0 !0000000100000e98 mov qword [ss:rbp+var_18], 0x0! mov qword [ss:rbp+var_18], 0x0 0000000100000ea0 mov rax, qword [ss:rbp+var_18] ! 0000000100000ea4 cmp rax, qword [ss:rbp+var_8]! 0000000100000ea8 jge 0x100000f1a! 0x100000ea0: ! mov rax, qword [ss:rbp+var_18] 0000000100000eae mov rax, 0x2! cmp rax, qword [ss:rbp+var_8] jge 0x100000f1a long int suite(long int x) 0000000100000eb8 mov rcx, qword [ss:rbp+var_18]! 0000000100000ebc mov qword [ss:rbp+var_20], rax! { 0000000100000ec0 mov rax, rcx! 0000000100000ec3 cqo ! long int u=0; 0000000100000ec5 mov rcx, qword [ss:rbp+var_20]! 0x100000eae: long int i=0; 0000000100000ec9 idiv rcx! mov rax, 0x2 mov rcx, qword [ss:rbp+var_18] 0000000100000ecc cmp rdx, 0x0! mov qword [ss:rbp+var_20], for(i=0;i Jean-Yves Marion Abstraction by reverse-refinement long int suite(long int x) High-level semantics { long int u=0; long int i=0; for(i=0;i _suite: push rbp mov rbp, rsp mov qword [ss:rbp+var_8], rdi mov qword [ss:rbp+var_10], 0x0 mov qword [ss:rbp+var_18], 0x0 mov qword [ss:rbp+var_18], 0x0 0x100000ea0: mov rax, qword [ss:rbp+var_18] cmp rax, qword [ss:rbp+var_8] jge 0x100000f1a 0x100000eae: mov rax, 0x2 mov rcx, qword [ss:rbp+var_18] mov qword [ss:rbp+var_20], rax 0x100000f1a: mov rax, rcx mov rax, qword [ss:rbp+var_10] cqo pop rbp mov rcx, qword [ss:rbp+var_20] ret idiv rcx cmp rdx, 0x0 jne 0x100000ef0 0x100000ed9: mov rax, qword [ss:rbp+var_10] 0x100000ef0: shl rax, 0x1 mov rax, qword [ss:rbp+var_10] add rax, 0x2 shl rax, 0x1 mov qword [ss:rbp+var_10], rax add rax, 0x1 jmp 0x100000f02 mov qword [ss:rbp+var_10], rax 0x100000f02: jmp 0x100000f07 0x100000f07: mov rax, qword [ss:rbp+var_18] add rax, 0x1 mov qword [ss:rbp+var_18], rax jmp 0x100000ea0 Disassembly is a crucial step 0000000100000e80 push rbp ! 0000000100000e81 mov rbp, rsvp! 0000000100000e84 mov qword [ss:rbp+var_8], rdi! 0000000100000e88 mov qword [ss:rbp+var_10], 0x0! 0000000100000e90 mov qword [ss:rbp+var_18], 0x0! 0000000100000e98 mov qword [ss:rbp+var_18], 0x0 E80 : 55 48 89 E5 48 89 7D F8 48 C7 45 F0 00 00 00 00 48 C7 45 E8 00 00 E90 : 00 00 48 C7 45 E8 00 00 00 00 48 8B 45 E8 48 3B 45 F8 0F 8D 6C 00 EA0 : 00 00 48 B8 02 00 00 00 00 00 00 00 48 8B 4D E8 48 89 45 E0 48 89 EB0 : C8 48 99 48 8B 4D E0 48 F7 F9 48 81 FA 00 00 00 00 0F 85 17 00 00 EC0 : 00 48 8B 45 F0 48 C1 E0 01 48 05 02 00 00 00 48 89 45 F0 E9 12 00 ED0 : 00 00 48 8B 45 F0 48 C1 E0 01 48 05 01 00 00 00 48 89 45 F0 E9 00 EE0 : 00 00 00 48 8B 45 E8 48 05 01 00 00 00 48 89 45 E8 E9 86 FF FF FF EF0 : 48 8B 45 F0 5D C3 Low-level semantics Jean-Yves Marion Context Practical issues related to binary analysis Code Protections against analysis Jean-Yves Marion MA"F')2%PH%>F6)$/)%J?%<)#63'I%6))$=% a31:Cb)()'%>F6*A#/*3"$6 Malware protections � SB* 3$ "BA @"A'DG @) /#$ :#()H ���������������������� 9A35"B;H%N)()A6)C)$13$))A3$1%"?%2#'@#A)%5#/E)A6%?"A%DB223)6%C 4))5O)/ 7,8,% 8P 1.Obfuscation Malware analysis is very hard 2.Cryptography 3.Self-modification 4.Code overlapping 5.Anti-analysis tricks Rational approach to help Felix the cat ! Jean-Yves Marion A common protection scheme for malware Decrypt Decrypt Decrypt Wave 1 Wave 2 ...... Wave 18 01005000 pushfd 01007088 call 0x100708d 1006ba7 mov ebx, dword ptr [ebp+0x403783] 01005001 push 0x3 0100708d sub dword [ss:esp], 0x23a ! 1006bad xor esi, esi! 01005003 jae 0x1005010 01007094 jmp dword [ss:esp+0x4] 1006baf not ebx! 01005005 jmp 0x1005009 01005007 db 0x75 ; 'u' 1006bb1 or esi, ebx! 01005008 db 0x75 ; 'u' 1006bb3 jnz 0xa! 01005009 call 0x1005014 1006bbd add ebx, dword ptr [ebp+0x403763]! 0100500e xor ax, 0xf773 01005012 jmp 0x1005031 01005014 add esp, 0x4 01005017 jmp 0x100501b 01005019 db 0x75 ; 'u' This is a run of the packer Telock 0100501a db 0x75 ; 'u' 0100501b dec dword [ss:esp] with 18 waves payload A run is a sequence of waves Self-modifying program schema Jean-Yves Marion Almost all malware is self-modifying ! 600 samples! divided in 6 families! 93% are self-modifying Number of waves Based on 100 samples of Koobface, Conficker, Cutwail, Ramnit, Storm Worm, Waledac ! See Virus Bulletin 2015! Problem How to obtain a correct Control Flow Graph of a self-modifying code ? Disassembly of self-modifying codes Jean-Yves Marion Where are we ? The input: An obfuscated x86 binary file with no information except an entry point (e.g. a malware) Can we recover the assembly code of the original program inside a binary file ? when the binary file is self-modifying Goal The disassembly of each wave of code of a self-modifying code (e.g. packers). CoDisasm : Concatic disassembly of self-modifying binaries with overlapping instructions tELock genrates 18 waves ABSTRACT ;datasize Disassembly is a key task in software debuggingA payload installer and mal- 01006e62 mov ecx ,0x1dc2 ;ebxisthepointerontheblocktodecrypt ware analysis. It involves the recovery of assembly instruc- ;ebx=0x1005090 tions from binary machine code. It can be problematic in 01006e67 inc ebx the case of malicious code, as malware writers often employ 01006 e6f loop : rol byte ptr [ ebx+ecx ], 0x5 techniques to thwart correct disassembly by standard tools. 01006e73 add byte ptr [ ebx+ecx ], cl Nonetheless, disassembly is a crucial step in malware reverse 01006e76 xor byte ptr [ ebx+ecx ], 0x67 engineering. Correct disassembly of binariesUnpack is necessary a tELock-file to 01006e7a inc byte ptr [ ebx+ecx ] 01006e7d dec ecx produce a higher level representation of the code and thus 01006e80 jnle loop allow the analysis to develop high-level understanding of its ;jumptothedecrypteddata behavior and purpose. 01006e82 jmp 0x01005090 In this paper, we focus on the disassembly of x86 self-modi- Figure 1: Decryption loop of tELock of data from fying binaries with overlapping instructions.The payload Current is decrypted state- ! address 0x01005090 to 0x01006e52 of-the-art disassemblers fail to interpretin these 0x01005090 two common forms of obfuscation, causing an incorrect disassembly of large parts of the input. We introduce a novel disassembly Wave method, called concatic disassembly, that combines CON- ...... Crete path execution with stATIC disassembly.Wave 1 We have Wavedevelop 2 decompilers in order to extract relevant high-level Decryption Decryption Decryption 18 developed a standalone disassembler called CoDisasm that semantics information. However, there are several inherent implements this approach, together with a plug-in for the di�culties in devising a disassembly process. In [17], it is popular reversing engineering tool IDA called BinViz to vi- reported that up to 65% of the code is typically incorrectly sualize the code waves generated by CoDisasm and to visu- disassembled.Self-modifying One di�culty isprogram that it is almost schema impossi- alize overlapping instructions. Our approach substantially ble, to separate machine code from data. Both are mixed improves the success of disassembly when confronted with in a long sequence of bytes. Instructions such as jmp may both self-modification and code overlap in analyzed binaries. skip data, jumping from one piece of code to another one. Experimental results on about five hundred malware sam- Moreover, these jumps are not statically predictable. An il- ples show that our approach correctly recovers large parts of lustration of this fact is an indirect jump like the instruction the code. To our knowledge, no other disassembler thwarts jmp eax. To pursue static analysis, it is then necessary to both of these obfuscations methods together. determine the range of values in the register eax,oratleast a good approximation of the eax values. It is worth not- ing that determining the destination of an indirect jump is 1. INTRODUCTION undecidable, which implies that separating code from data Description of the problem and pitfalls. Disassembly is also an uncomputable task. Most previous studies [25, is the first step in the analysis of malware binaries and it is an 18, 26, 16, 15] have tried to solve the problem of indirect essential one as all subsequent steps will crucially depend on jumps employing static analysis methods. That said, there the accuracy of the disassembly. Indeed, it is from the disas- are other significant issues. In this paper, we focus on two of sembly of a binary that we can reconstruct the control flow them: (i) self-modifying code and (ii) overlapping instruc- graph (CFG) in order to perform further reverse engineer- tions. Both obfuscation techniques are designed to protect ing analysis tasks. It is also from the disassembly that we codes against human and automated analysis, and are in fact quite widespread in malware. The first issue concerns self-modifying code. Indeed, nowa- days malware is almost always self-modifying. Generally, this code protection consists in a sequence of unpacking and decryption routines until the payload is extracted. For ex- ample, the driver of Duqu [3] decompresses a upx-packed data and decrypts the data in order to generate its main dll which will then be injected in memory within service.exe. Wave extraction Dynamic analysis Secure sand boxing TRACER First An execu�on trace Last instruc�on instruc�on A trace indicates a sequence of code waves Wave 18 Wave 1 Wave 2 ...... Wave 17 ...... PE-Wave 1 PE-Wave 2 PE-Wave 16 PE-Wave 18 Next Goal : Disassemble each PE-wave separately determined by the trace TeLock with 18 waves Dynamic analysis Secure sand boxing TRACER First An execu�on trace Last instruc�on instruc�on A trace indicates a sequence of code waves Wave 18 Wave 1 Wave 2 ...... Wave 17 ...... PE-Wave 1 PE-Wave 2 PE-Wave 16 PE-Wave 18 Armadillo (V9) : 2 processes 11 threads Dynamic analysis Secure sand boxing TRACER First An execu�on trace Last instruc�on instruc�on A trace indicates a sequence of code waves Wave 164 Wave 1 Wave 2 ...... Wave 163 PE-Wave 162Contains the packed file 1005005 (2): jmp 0x4 1005009 (5): call 0xb 1005014 (3): add esp, 0x4 1005017 (2): jmp 0x4 Wave disassembly Disassemble each PE encoding a wave 100501b (3): dec dword ptr [esp] the execution trace 100501e (2): jno 0x3 1005020 (2): jno 0x7b Instruc�on overlapping Separate code from data ?? 1005021 (2): jns 0xffffffe2 100509b (2): jmp 0xffffffc9 1005022 (2): loopne 0x7c 1005023 (2): jp 0x3 A path in the wood 1005024 (3): add dword ptr [ebp-0x7d], esi 1005025 (2): jnz 0xffffff85 1005026 (3): add esp, 0x4 1004faa (2): add byte ptr [eax], al Solved partially indirect jumps 1005027 (7): les eax, ptr [ebx*4-0x638afe15] 1004fac (2): add byte ptr [eax], al 1005029 (1): popfd 1004fae (2): add byte ptr [eax], al 100502a (2): jmp 0x3 1004fb0 (2): add byte ptr [eax], al 100502d (1): pushfd 1004fb2 (2): add byte ptr [eax], al 1004fb4 (2): add byte ptr [eax], al 100502e (2): jb 0xc 1004fb6 (2): add byte ptr [eax], al 1004fb8 (2): add byte ptr [eax], al 1004fba (2): add byte ptr [eax], al 1004fbc (2): add byte ptr [eax], al 1004fbe (2): add byte ptr [eax], al 1004fc0 (2): add byte ptr [eax], al 1004fc2 (2): add byte ptr [eax], al 1004fc4 (2): add byte ptr [eax], al 1004fc6 (2): add byte ptr [eax], al 1004fc8 (2): add byte ptr [eax], al 1004fca (2): add byte ptr [eax], al 1004fcc (2): add byte ptr [eax], al 1004fce (2): add byte ptr [eax], al 1004fd0 (2): add byte ptr [eax], al 1004fd2 (2): add byte ptr [eax], al 1004fd4 (2): add byte ptr [eax], al 1004fd6 (2): add byte ptr [eax], al 1004fd8 (2): add byte ptr [eax], al 1004fda (2): add byte ptr [eax], al 1004fdc (2): add byte ptr [eax], al 1004fde (2): add byte ptr [eax], al 1004fe0 (2): add byte ptr [eax], al 1004fe2 (2): add byte ptr [eax], al 1004fe4 (2): add byte ptr [eax], al 1004fe6 (2): add byte ptr [eax], al 1004fe8 (2): add byte ptr [eax], al 1004fea (2): add byte ptr [eax], al 1004fec (2): add byte ptr [eax], al 1004fee (2): add byte ptr [eax], al 1004ff0 (2): add byte ptr [eax], al 1004ff2 (2): add byte ptr [eax], al 1004ff4 (2): add byte ptr [eax], al 1004ff6 (2): add byte ptr [eax], al 1004ff8 (2): add byte ptr [eax], al 1004ffa (2): add byte ptr [eax], al 1004ffc (2): add byte ptr [eax], al 1004ffe (2): add byte ptr [eax], al 100709d (5): jmp 0xffffdf63 1005000 (1): pushfd 1005001 (2): push 0x3 1005003 (2): jnb 0xd 100500e (4): xor ax, 0xf773 1005010 (2): jnb 0xfffffff9 1005012 (2): jmp 0x1f 10050e7 (2): loop 0xffffff86 1005031 (3): add dword ptr [ebp-0x18], esi 10050e9 (5): and eax, 0x874c4788 1005034 (5): add eax, 0x75000000 10050ee (3): les edx, ptr [ebx+0x7e] 1005039 (2): jnz 0x74 10050f1 (1): pushfd 100503a (2): jb 0xfffffff6 10050ad (1): stosd dword ptr [edi] 10050f2 (1): stc 1005030 (2): jmp 0x3 100503b (1): hlt 10050f3 (3): add byte ptr [eax+0x5a], bh 100503c (7): add dword ptr [ebx-0x1462fb3c], 0x1 1005033 (5): call 0xa 10050ae (1): out dx, eax 10050f6 (7): adc dword ptr [esi+0x7c], 0x97771713 100503d (3): add esp, 0x4 1005038 (2): jnz 0x77 10050fd (5): adc eax, 0xc80e9c9b 1005040 (1): popfd 10050af (2): adc dword ptr [edi], edi 1005102 (2): jnl 0xffffffaf 1005043 (5): call 0xe8f96095 1005041 (2): jmp 0x3 10050b1 (2): jnle 0xffffffa9 1005044 (1): nop 10050b3 (1): movsb byte ptr [edi], byte ptr [esi] 1005045 (1): pushad 10050b4 (1): into 1005046 (1): stc 1005047 (5): call 0x8 1005048 (2): add eax, dword ptr [eax] 100504a (2): add byte ptr [eax], al 100504c (5): call 0xe800ed 100504f (5): call 0x5 1005051 (2): add byte ptr [eax], al 1005053 (3): add byte ptr [esi+0x2b], bl 1005054 (1): pop esi 1005055 (2): sub ecx, ecx 1005056 (1): leave 1005057 (1): pop eax 1005058 (2): jz 0x4 100505a (2): int 0x20 100505c (5): mov ecx, 0x1dc9 1005061 (2): mov eax, ecx 1005063 (1): clc 1005064 (2): jnb 0x4 1005066 (2): int 0x20 1005068 (6): add esi, 0x36 100506e (4): lea eax, ptr [ecx+eax*4+0x67] 1005072 (5): call 0x7 1005077 (5): call 0x46063085 1005079 (2): xor byte ptr [esi], al 100507b (1): inc esi 100507c (1): pop edx 100507d (2): jmp 0x3 1005080 (2): aam 0x9 1005082 (1): dec ecx 1005083 (2): jnle 0xffffffeb 1005085 (3): addr16 jcxz 0x5 Instruction overlapping in UPX packer 010059f0!!89!f9!!!!mov ecx,edi! 010059f2!!79!07!!!!jnz +9! 010059f4!!0f!b7!07!!!movzx eax, word [edi]! 010059f7!!47!!!!!inc edi! 010059f8!!50!!!!!push eax! 010059fa!!b9!57!48!f2!ae!mov ecx, aef24857! 010059ff!!55!!!!!push ebp Inside Wave 1 Instruction overlapping in UPX packer 010059f0!!89!f9!!!!mov ecx,edi! 010059f2!!79!07!!!!jnz +9! 010059f4!!0f!b7!07!!!movzx eax, word [edi]! 010059f7!!47!!!!!inc edi! 010059f8!!50!!!!!push eax! 010059fa!!b9!57!48!f2!ae!mov ecx, aef24857! overlapped! ! 010059fb!!57!!!!push edi! instructions!010059fc!!!48!!!dec eax! !010059fd!!!!f2!ae!repne scasb! 010059ff!!55!!!!!push ebp Inside Wave 1 Missing code Jean-Yves Marion 10059d0 (2): jz 0x47 10059d2 (3): mov ebx, dword ptr [edi+0x4] 10059d5 (7): lea eax, ptr [eax+esi*1+0x541c] 10059dc (2): add ebx, esi 10059de (1): push eax 10059df (3): add edi, 0x8 10059e2 (6): call dword ptr [esi+0x5494] 10059e8 (1): xchg ebp, eax 10059e9 (2): mov al, byte ptr [edi] 10059eb (1): inc edi 10059ec (2): or al, al 10059c4 (2): loop 0xffffffdb 10059ee (2): jz 0xffffffde 10059c6 (6): lea edi, ptr [esi+0x3000] 100599f (2): cmp al, 0x1 100591c (2): jz 0x76 10059f0 (2): mov ecx, edi 10059cc (2): mov eax, dword ptr [edi] 10059a1 (2): jnbe 0xfffffff9 1005992 (1): pop esi 100591e (2): mov ebp, eax Screenshot of Codisasm 10059f2 (2): jns 0x9 10059ce (2): or eax, eax 10059a3 (3): cmp byte ptr [edi], 0x1 1005993 (2): mov edi, esi 1005920 (2): add ebx, ebx 10059f4 (3): movzx eax, word ptr [edi] 10059a6 (2): jnz 0xfffffff4 1005995 (5): mov ecx, 0x13 1005922 (2): jnz 0x9 10059f7 (1): inc edi 10059a8 (2): mov eax, dword ptr [edi] 100599a (2): mov al, byte ptr [edi] 1005924 (2): mov ebx, dword ptr [esi] 10059f8 (1): push eax 10059aa (3): mov bl, byte ptr [edi+0x4] 100599c (1): inc edi 1005926 (3): sub esi, 0xfffffffc 10059f9 (1): inc edi 100599d (2): sub al, 0xe8 10059ad (4): shr ax, 0x8 1005929 (2): adc ebx, ebx 10059fa (5): mov ecx, 0xaef24857 10059b1 (3): rol eax, 0x10 100592b (2): adc ecx, ecx Overlapping 10059fb (1): push edi 10059b4 (2): xchg ah, al 100592d (2): add ebx, ebx 10059fc (1): dec eax 10059b6 (2): sub eax, edi 100592f (2): jnz 0x9 10059fd (2): repne scasb byte ptr [edi] 10059b8 (3): sub bl, 0xe8 1005931 (2): mov ebx, dword ptr [esi] 10059ff (1): push ebp UPX Wave 1 10059bb (2): add eax, esi 1005933 (3): sub esi, 0xfffffffc Jean-Yves Marion 1005a00 (6): call dword ptr [esi+0x5498] 10059bd (2): mov dword ptr [edi], eax 1005936 (2): adc ebx, ebx 1005a06 (2): or eax, eax 10059bf (3): add edi, 0x5 1005938 (2): adc ecx, ecx 1005a08 (2): jz 0x9 10059c2 (2): mov al, bl 100593a (2): jnz 0x22 1005a11 (6): call dword ptr [esi+0x54a8] 1005a0a (2): mov dword ptr [ebx], eax 100593c (1): inc ecx 1005a17 (6): mov ebp, dword ptr [esi+0x549c] 1005a0c (3): add ebx, 0x4 100593d (2): add ebx, ebx 1005a1d (6): lea edi, ptr [esi-0x1000] 1005a0f (2): jmp 0xffffffda 100593f (2): jnz 0x9 1005a23 (5): mov ebx, 0x1000 1005941 (2): mov ebx, dword ptr [esi] 1005a28 (1): push eax 1005943 (3): sub esi, 0xfffffffc 1005a29 (1): push esp 1005946 (2): adc ebx, ebx 1005a2a (2): push 0x4 1005948 (2): adc ecx, ecx 1005a2c (1): push ebx 100594a (2): add ebx, ebx 1005a2d (1): push edi 100594c (2): jnb 0xfffffff1 1005a2e (2): call ebp 100594e (2): jnz 0xb 1005a30 (6): lea eax, ptr [edi+0x1f7] 1005950 (2): mov ebx, dword ptr [esi] 1005a36 (3): and byte ptr [eax], 0x7f 1005952 (3): sub esi, 0xfffffffc 1005a39 (4): and byte ptr [eax+0x28], 0x7f 1005955 (2): adc ebx, ebx 1005a3d (1): pop eax 1005957 (2): jnb 0xffffffe6 1005a3e (1): push eax 1005959 (3): add ecx, 0x2 1005a3f (1): push esp 100595c (6): cmp ebp, 0xfffff300 1005a40 (1): push eax 1005962 (3): adc ecx, 0x1 1005a41 (1): push ebx 1005965 (3): lea edx, ptr [edi+ebp*1] 1005a42 (1): push edi 1005968 (3): cmp ebp, 0xfffffffc 1005a43 (2): call ebp 100596b (2): jbe 0x11 1005a45 (1): pop eax 100596d (2): mov al, byte ptr [edx] 100597c (2): mov eax, dword ptr [edx] 1005a46 (1): popad 100596f (1): inc edx 100597e (3): add edx, 0x4 1005a47 (4): lea eax, ptr [esp-0x80] 1005970 (2): mov byte ptr [edi], al 1005981 (2): mov dword ptr [edi], eax 1005a4b (2): push 0x0 1005972 (1): inc edi 1005983 (3): add edi, 0x4 1005a4d (2): cmp esp, eax 1005973 (1): dec ecx 1005986 (3): sub ecx, 0x4 10058c0 (1): pushad 1005a4f (2): jnz 0xfffffffc 1005974 (2): jnz 0xfffffff9 1005989 (2): jnbe 0xfffffff3 10058c1 (5): mov esi, 0x1005000 1005a51 (3): sub esp, 0xffffff80 100598b (2): add edi, ecx 10058c6 (6): lea edi, ptr [esi-0x4000] 1005a54 (5): jmp 0xffffb783 1005976 (5): jmp 0xffffff68 100598d (5): jmp 0xffffff51 10058cc (1): push edi 10058de (2): add ebx, ebx 10058cd (3): or ebp, 0xffffffff 10058e0 (2): jnz 0x9 10058d0 (2): jmp 0x12 10058e2 (2): mov ebx, dword ptr [esi] 10058e4 (3): sub esi, 0xfffffffc 10058e7 (2): adc ebx, ebx 10058e9 (2): jb 0xffffffef 10058d8 (2): mov al, byte ptr [esi] 10058eb (5): mov eax, 0x1 10058da (1): inc esi 10058f0 (2): add ebx, ebx 10058db (2): mov byte ptr [edi], al 10058f2 (2): jnz 0x9 10058dd (1): inc edi 10058f4 (2): mov ebx, dword ptr [esi] 10058f6 (3): sub esi, 0xfffffffc 10058f9 (2): adc ebx, ebx 10058fb (2): adc eax, eax 10058fd (2): add ebx, ebx 10058ff (2): jnb 0xfffffff1 1005901 (2): jnz 0xb 1005903 (2): mov ebx, dword ptr [esi] 1005905 (3): sub esi, 0xfffffffc 1005908 (2): adc ebx, ebx 100590a (2): jnb 0xffffffe6 100590c (2): xor ecx, ecx 100590e (3): sub eax, 0x3 1005911 (2): jb 0xf 1005913 (3): shl eax, 0x8 1005916 (2): mov al, byte ptr [esi] 1005918 (1): inc esi 1005919 (3): xor eax, 0xffffffff The overall architecture of the disassembler We combine concrete path execution and static analysis Sandbox Tracer Memory! Plug-in IDA snapshots Binary! program Wave! Execution ! Disassembler recovering traces Worflow : compact traces x86 file Server + Disassemble Memory dumps (available at http://marionjy.loria.fr/) We are what we read ! • J. Caballero, N. M. Johnson, S. Mccamant, and D. Song: Binary code extraction and interface identification for security applications! • J. Kinder, F. Zuleger, and H. Veith: An abstract interpretation-based framework for control flow reconstruction from binaries! • T. W. Reps and G. Balakrishnan: Improved memory-access analysis for x86 executables! • S. Debray and J. Patel: Reverse engineering self-modifying code: Unpacker extraction! • N. Krishnamoorthy, S. Debray, and K. Fligg: Static detection of disassembly errors! • B. Schwarz, S. Debray, and G. Andrews: Disassembly of executable code revisited! • C. Kruegel, W. Robertson, F. Valeur, and G. Vigna: Static disassembly of obfuscated binaries! • J. Kinder. Static analysis of x86 executables! • G. Vigna. Static disassembly and code analysis Jean-Yves Marion • Call/ret obfuscations Pitfalls : • Indirect jumps • Opaque Predicates Another key issue : Big code ! Answers to these questions should be automatic and should deal with vast amounts of samples ! ! • about 6 millions of samples inside our lab! ! • about 300 000 files by day for Google via VirusTotal !! ! • 400 millions of samples for Google 80 hours (=3 days) to analyze 300 000 files with a time put of 1 sec. by file Jean-Yves Marion Summary : Codisasm A model of self-modifiying computations based on Waves! Deals with Self modifying codes! Deals with overlapping instructions! Follows processes and implements a sequence of anti-anti- debugging tricks! The last wave of Mystic packer generates 3 processes! Jean-Yves Marion Packer disassembly #Waves 1 2 3 4 5–10 > 10 Packer name #proc. #thr. #Wave DM 8% 53% 12% 6% 13% 9% ACProtect v2.0 1 1 635 N Armadillo v9.64 2 11 165 Y Table 2: Number of waves from 500 malware Aspack v2.12 1 1 3 N BoxedApp v3.2 1 15 6 Y # Layers 1 2 3 4 5 EP Protector v0.3 1 1 2 N � Expressor 1 1 2 N 32% 35% 17% 11% 5% FSG v2.0 1 1 2 N JD Pack v2.0 1 1 3 N Table 3: Number of layers from 500 malware MoleBox 1 1 3 N Mystic 1 1 4 Y Neolite v2.0 1 1 2 N an unknown binary like a malware will not be conclusive nPack v1.1.300 1 1 2 N because we do not know aprioriits assembly code (probably Packman v1.0 1 1 2 N PE Compact v2.20 1 1 4 Y generated at runtime). Therefore, we packed hostname.exe PECrypt V1.02 1 4 99 Y with 28 di↵erent packers. The results are shown in Table 4. PE Lock 1 1 15 Y We display the number of processes, threads and waves of PE Spin v1.1 1 1 80 Y the 28 packers. The last column indicates whether instruc- Petite v2.2 1 1 3 N tions are run in dynamically allocated memory or not. What RLPack 1 1 2 N we immediately see is that packers massively use waves, Setisoft v2.7.1 1 5 32 Y TELock v0.99 1 1 18 Y some of them being dynamically allocated. The cascade Themida v2.0.3.0 1 28 106 Y of waves may be as deep as 635. We were dumbfounded to Upack v0.39 1 1 3 N see that up to 20% of some of these waves were composed Upx v2.90 1 1 2 N of overlapped instructions. The case of armadillo is as- VM Protect v1.50 1 1 1 N tounding. We observed 132 overlapping instructions and the WinUPack 1 1 3 N packer creates 11 threads and has 2 processes. (The father Yoda’s Crypter v1.3 1 1 4 Y Yoda’s Protector v1.02 1 1 6 N process creates a new process which contains the original code. Then the father process attaches to the son process Jean-Yves#proc. Marion = number of processes ; #thr. = number of threads like a debugger.) #Wave = number of waves ; DM = Code run in allocated For all packers but Setisoft, we observed that the packed memory code behaves like hostname.exe. In fact, Setisoft detects the presence of Pin tracer and does not run hostname.exe. Table 4: Packer analysis Thus, in all but one case, we can state that we escape anti- debugging techniques and that we correctly reach the “pay- load”. In all but three cases (PE Lock, PE Spin and VM Protect), we have been able to manually find the original Wave Time (ms) #Instructions #Layers code of hostname.exe within the waves disassembly, some- 1 62 1189 3 times sliced into small pieces. The packer VM Protect is a 2 47 1115 3 code virtualizer, and thus it is expected that we cannot see 3 20 357 1 that original code, only its intermediate representation. PE Spin and PE Lock are based on code transformations, and again it is not surprising that the original code cannot be Table 5: Aspack v2.12 recovered. This sequence of test shows that Pin tracer is able to correctly instrument many significant packers. For completeness, we also repeated the experiment replac- ing hostname.exe with other software. No significant di↵er- Wave Time (ms) #Instructions #Layers ences in results were observed. 1 1 85 4 Finally, we determine for each packer the number of in- 2 1 67 1 3 1 20 2 structions by wave and also the number of layers. To con- 4 1 43 2 duct these experiments, we packed again hostname.exe ,which 5 13 693 4 has 335 instructions. Due to a lack of space, we just present 6 1 18 1 the results for Aspack in Table 5.4 and TELock in Table 6. 7 1 28 1 8 1 16 1 5.5 A malware writer scenario 9 1 51 1 10 1 36 1 In this last experiment, we sent the backdoor hupigon.eyf 11 1 23 1 to the Virus Total Web service. From a total of 57 antivirus 12 1 49 1 products, 45 detected hupigon.eyf and correctly identified 13 2 134 3 it. We then packed hupigon.eyf with the Mystic packer 14 9 496 3 and sent it back to Virus Total. This time, only 22 antivirus 15 5 333 3 products detected that the file was malicious, but none were 16 17 799 2 17 3 172 1 able to identify it. 18 8 431 1 We analyzed the same Mystic-packed file with CoDisasm. The Mystic packer generates 4 waves. The last wave cre- Table 6: TELo ck v0.99 ates a new process, which in turn creates two new processes. Epilogue : a malware writer scenario 1.We sent the backdoor hupigon.eyf toVirusTotal : ! Antivirus' (/fr/) scan•Communauté45 for fdd726007bdec7ef8a22e79f2f9e7115a86f... AV (/fr/community/ detected) Statistiques hupigon.eyf (/fr/statistics/) Documentationhttps://www.virustotal.com/fr/file/fdd726007bdec7ef8a22e79... over (/fr/documentation/ 57) AVFAQ! (/fr/faq/) A propos (/fr/about/) (/fr/) ( Français Rejoindre notre communauté Se connecter SHA256: fdd726007bdec7ef8a22e79f2f9e7115a86f1271f0be583858e4d09546860d33 Nom du fichier : Hupigon.eyf Ratio de détection : 45 / 57 0 0 Date d'analyse : 2015-05-16 14:05:50 UTC (il y a 4 mois, 3 semaines) ! Analyse " File detail # Informations supplémentaires $ Commentaires 1 % Votes & Informations comportementales Antivirus Résultat Mise à jour ALYac Backdoor.Agent.YRI 20150516 AVG BackDoor.Hupigon5.RUD 20150516 AVware Trojan.Win32.Generic!BT 20150516 Ad-Aware Backdoor.Agent.YRI 20150516 Agnitum Backdoor.Hupigon!HrNHLBHzU3k 20150515 AhnLab-V3 Win-Trojan/Hupigon.34304.AA 20150516 Antiy-AVL Jean-Yves Marion Trojan[Backdoor]/Win32.Hupigon 20150516 Avast Win32:Neptunia-WC [Trj] 20150516 Avira TR/Hijacker.Gen 20150516 Baidu-International Backdoor.Win32.Hupigon.eyf 20150516 BitDefender Backdoor.Agent.YRI 20150516 Comodo Packed.Win32.MUPX.Gen 20150516 Cyren W32/Injector.A.gen!Eldorado 20150516 DrWeb Trojan.MulDrop.7047 20150516 ESET-NOD32 Win32/Hupigon.NUP 20150516 Emsisoft Backdoor.Agent.YRI (B) 20150516 F-Prot W32/Injector.A.gen!Eldorado 20150516 F-Secure Backdoor.Agent.YRI 20150516 Fortinet PossibleThreat 20150516 GData Backdoor.Agent.YRI 20150516 Ikarus Trojan-Dropper.Delf 20150516 Jiangmin Backdoor/Hupigon.abcw 20150515 K7AntiVirus Trojan ( 0000185d1 ) 20150516 K7GW Trojan ( 0000185d1 ) 20150516 1 sur 2 11/10/2015 12:09 Kaspersky Backdoor.Win32.Hupigon.eyf 20150516 Epilogue : a malware writer scenario 1.We sent the backdoor hupigon.eyf toVirusTotal : ! • 45 AV detected hupigon.eyf over 57 AV! ! 2. We packed hupigon.eyf with Mystic packer: Mystic[hupigon.eyf]! ! 3. Only 22 AV identified Mystic[hupigon.eyf] has malicious without identifyingAntivirus' (/fr/) scanCommunauté for 601231c1b38053337822369de812b3e7f47... (hupigon.eyf/fr/community/) Statistiques !(/fr/statistics/) Documentationhttps://www.virustotal.com/fr/file/601231c1b3805333782236... (/fr/documentation/) FAQ (/fr/faq/) A propos (/fr/about/) ! (/fr/) ( Français Rejoindre notre communauté Se connecter SHA256: 601231c1b38053337822369de812b3e7f47811baa45192cfc59636c3a3289ed0 Nom du codisasm-mystic-Hupigon.eyf fichier : 0 0 Ratio de détection 22 / 57 : Date 2015-05-16 16:25:43 UTC (il y a 4 mois, 3 semaines) Voir les derniers (/fr/file d'analyse /601231c1b38053337822369de812b3e7f47811baa45192cfc59636c3a3289ed0 : /analysis/) ! Analyse " File detail # Informations supplémentaires $ Commentaires 0 % Votes & Informations comportementales Antivirus Résultat Mise à jour ALYac Gen:Heur.Zygug.1 20150516 AVG Jean-Yves Marion Win32/Cryptor 20150516 AVware Trojan.Win32.Agent.afy (v) 20150516 Ad-Aware Gen:Heur.Zygug.1 20150516 Avast Win32:MalOb-HX [Cryp] 20150516 Avira TR/Crypt.XPACK.Gen2 20150516 BitDefender Gen:Heur.Zygug.1 20150516 DrWeb Trojan.Packed.2305 20150516 ESET-NOD32 a variant of Win32/Kryptik.AACI 20150516 Emsisoft Gen:Heur.Zygug.1 (B) 20150516 F-Secure Gen:Heur.Zygug.1 20150516 Fortinet W32/Kryptik.XUW!tr 20150516 GData Gen:Heur.Zygug.1 20150516 Kaspersky HEUR:Trojan.Win32.Generic 20150516 MicroWorld-eScan Gen:Heur.Zygug.1 20150516 Microsoft VirTool:Win32/Obfuscator.VM 20150516 Panda Trj/Mystic.b 20150516 Rising PE:Malware.XPACK-LNR/Heur!1.5594 20150516 Sophos Mal/EncPk-ADY 20150516 Tencent Trojan.Win32.Qudamah.Gen.3 20150516 VBA32 BScope.Malware-Cryptor.Hlux 20150515 1VIPRE sur 3 Trojan.Win32.Agent.afy (v) 2015051611/10/2015 12:10 Epilogue : a malware writer scenario 1.We sent the backdoor hupigon.eyf toVirusTotal : ! • 45 AV detected hupigon.eyf over 57 AV! 2.! We packed hupigon.eyf with Mystic packer: Mystic[hupigon.eyf]! ! 3. Only 22 AV identified Mystic[hupigon.eyf] as malicious without identifying hupigon.eyf 4.We uses Codisasm on Mystic[hupigon.eyf]. We obtained 4 waves! 5.We checked that one of the processes in the last wave contains hupigon.eyf ! 6. We sent the PE file of the last wave to VirusTotal : 20 AV identified correctly hupigon.eyf Jean-Yves Marion Antivirus' (/fr/) scanCommunauté for 42516a3a7cc6b33804c5a62c5e36e8e7ecb... (/fr/community/) Statistiques (/fr/statistics/) Documentationhttps://www.virustotal.com/fr/file/42516a3a7cc6b33804c5a6... (/fr/documentation/) FAQ (/fr/faq/) A propos (/fr/about/) (/fr/) ( Français Rejoindre notre communauté Se connecter SHA256: 42516a3a7cc6b33804c5a62c5e36e8e7ecb28a92c5416d5c772e601d7ad66003 Nom du fichier : mystic2-Hupigon.eyf_wave3-WithAllocSec Ratio de détection 0 0 20 / 57 : Date d'analyse : 2015-05-16 16:38:34 UTC (il y a 4 mois, 3 semaines) ! Analyse " File detail # Informations supplémentaires $ Commentaires 0 % Votes Antivirus Résultat Mise à jour ALYac Backdoor.Agent.YRI 20150516 AVG BackDoor.Hupigon5.RUD 20150516 Ad-Aware Backdoor.Agent.YRI 20150516 AhnLab-V3 Win-Trojan/Hupigon.34304.AA 20150516 Antiy-AVL Trojan[Backdoor]/Win32.Hupigon 20150516 Avast Win32:Neptunia-WC [Trj] 20150516 BitDefender Backdoor.Agent.YRI 20150516 Comodo Backdoor.Win32.Hupigon.3 20150516 DrWeb Trojan.MulDrop.7047 20150516 ESET-NOD32 Jean-Yves Marion Win32/Hupigon.NUP 20150516 Emsisoft Backdoor.Agent.YRI (B) 20150516 F-Secure Backdoor.Agent.YRI 20150516 GData Backdoor.Agent.YRI 20150516 Ikarus Trojan-Dropper.Delf 20150516 Jiangmin Backdoor/Hupigon.abcw 20150515 Kaspersky Backdoor.Win32.Hupigon.eyf 20150516 MicroWorld-eScan Backdoor.Agent.YRI 20150516 Microsoft TrojanDropper:Win32/Delf 20150516 NANO-Antivirus Trojan.Win32.Hupigon.jvbb 20150516 nProtect Backdoor.Agent.YRI 20150515 AVware & 20150516 AegisLab & 20150516 Agnitum & 20150516 1Alibaba sur 2 & 2015051611/10/2015 12:10 Avira & 20150516 Questions ? Code available at http://marionjy.loria.fr/ Thank you Jean-Yves Marion