Categories

Intentional PE Corruption

Malwarebytes Anti-Malware is under constant attack. 24 hours per day, 7 days per week, 365 days per year.

If you read my recent blog post about the development of Malwarebytes Chameleon, you know that we at Malwarebytes have big red ‘X’s on our chests; the bad guys are always out to get us. Malwarebytes Anti-Malware has been downloaded 100 million times, is one of the most popular and effective anti-malware cleanup tools out there, and is a threat to the malware industry’s bottom line (what, you didn’t know there was a malware industry?) As such, it’s no surprise that malware is constantly trying to thwart our software.

One of the malware writers’ favorite tricks is to try to get our scanner to crash when scanning their malware files. Not only does this make us unable to detect and remove the malware, but it also makes us look bad. We have to play (somewhat) by the rules; the bad guys don’t. They are free to write as buggy, as corrupt, as unstable code as they want, and half the time, we take the blame for it! (You can imagine how challenging and frustrating this can be for us.)

I saw a cute new trick just the other day when I was analyzing a buggy malware binary that caused our scanner to crash.

The Windows PE executable binary format is divided into so-called “sections”, which contain different kinds of information about the binary. One section usually contains the actual executable code, another section contains read-only data, a third contains writeable global variables, another contains API import and export tables. One section, commonly called “.rsrc”, contains arbitrary “resource” data that the executable can reference. This often includes graphics, like icons or bitmaps, but it can be anything, even other binaries.

The .rsrc section is organized hierarchically into a tree data structure, where branches of the tree represent different resource “types” or classifications (like icons, or string resources), and individual leaves represent individual resource elements.

This cunning piece of malware created a tree with circular references: a tree whose leaves pointed back to its branches. In computer science terms, it created a directed cyclic graph of resources.

According to the Windows PE specification, this is illegal. As a result, not only did Windows’ own PE loader fail to parse the resources in the file (Explorer crashed spectacularly), but various security products went into an infinite loop trying to parse the resource tree.

But you can’t fool us, malware: Malwarebytes Anti-Malware now handles this correctly, along with a slew of other intentional PE corruptions we’ve seen before. One more malware writer’s trick dispatched. Do your worst, malware! Bring it on.


  • http://www.facebook.com/profile.php?id=1504347988 brittanycoleman

    Great article..

  • stefankurtzhals

    There are so many ways to patch around with the PE format to confuse the parsers in the AV engines. I don’t know how many attempts I saw in the past that attacks the Avira scan engine. Found no crafted crash file so far, luckily. I really don’t get it why Microsoft allows so many absurd modifications to PE executables. A more strict sanity check before executing would help alot. But then, compatibility is all…

    A recent trick was to add the crypted data for VB6 droppers to the end of the rsrc section, in UPX packed state. The static UPX unpacker in the engine drops that data while unpacking the sample. I think I modified TR/Dropper.Gen enough to convince the malware writers that this approach is a futile method. :) Let’s see what comes next.

  • Marc Ochsenmeier

    I would be interested to test these crafted binaries with PeStudio http://www.winitor.com

Subscribe to our YouTube Channel