The most common malware technique for avoiding detection is to create loads of “fresh” variants. Actually, the component that changes so frequently is the packer – the outer layer of the malware, used by malware authors to encrypt the malware and make it harder to detect – whilst the functionality of the malicious code inside remains the same. The packer writer's job is to modify the "wrapper" when the malware is detected by antivirus engines. By using well-written generic signatures, we’re able to detect large quantities of malware variants, making the malware distributor's job a lot harder.

During our daily sample processing we recently stumbled upon a “greeting” hidden in one such packer:

hey nod32 guys, your last work was very good, i was really surprised. I spent over 4 hours to fix these detections. But the better man still stands. Come along little doggy come along. MUHAHAHAHAHA

It’s good to know that our generic detection gave the author of this packer a hard time. This particular example was the injector component of Win32/Spy.Zbot.YW (a variant of the Zeus trojan). But the same packer was also found supporting other malware families, which demonstrates how things work in the malware business: the author of the packer provides it as a service to other criminals using the Zeus malware kit.

Robert Lipovsky
Malware Researcher