Written on behalf of José Julio Ruiz de Loizaga.
Today being the birthday of William Shakespeare, I felt the urge to write this post. When reversing files, one is prepared to find anything – well, almost anything. I was analyzing a dll and was surprised to find passages from Hamlet. At first I thought "My God, a trojan that promotes literacy, how odd." My surprise increased when the next files, two additional dlls, also contained fragments of The Bard's prose.
First dll.
It was clear that these three files were related. There were two possibilities, either the malware author was a fan of sixteenth century renaissance literature, or that the text was used to make detection more difficult.
This method has been seen before in phishing emails. Anti-phishing engines look at keywords in the body of a message. When these words are found, they are correlated to the length of the message. In other words, a keyword has greater weight the more times it is repeated in a short message, which is why it is not unusual to find phishing emails with some literary text rendered white, so as to be invisible to the reader. Although the recipient does not see the extra words, the anti-phishing engine is fooled by the additional words.
Second dll.
This technique isn't exactly the same, but it has the same goal; to trick the antivirus. In this case, the signature file engine is the target. The additional text is inserted with the intention of changing the file's signature, thereby avoiding detection. The truth is that this is an interesting and educational way of doing so.
Third dll.
P.S., I would have personally chosen "100 Years of Solitude", but well, "Hamlet" is not bad either.
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
