While Trojan.Hydraq has been described as sophisticated, the methods used to obfuscate the code are relatively straight forward to deobfuscate. Trojan.Hydraq has spaghetti code, which is a technique used to make analyzing the code of program more difficult. The basic blocks of a function are identified, and then completely rearranged so one cannot easily follow the code in a linear fashion. The rearranged code blocks are connected by jump instructions that connect them in the proper order during execution.
However, spaghetti code has been used in the past and, due to the simple method of implementation by Hydraq, is easily reversed. We posted one of the first blogs about spaghetti code in malware back in 2006 in regards to LinkOptimizer. Most security companies have tools to simply reverse this type of obfuscation in an automated fashion and even off-the-shelf tools such as Hex-rays can deobfuscate Trojan.Hydraq’s spaghetti code.
Fortunately, this technique is the only trick used by Trojan.Hydraq to obstruct analysis. Anti-debug or anti-emulation tricks, which are common in many threats to both obstruct analysis and detection, are not used. Contrasting Trojan.Hydraq against two more complex threats helps to put the complexity of Trojan.Hydraq into context.
Trojan.Clampi - Virtualization
Trojan.Clampi used a commercial tool to obfuscate its code. Essentially this tool converts the existing instructions into an intermediate language. It also embeds a custom interpreter known as a virtual machine to interpret this custom language. Reverse engineering this code requires an understanding of how the virtual machine processes the custom code. While not impossible this can be a very time-consuming task. To understand Clampi one cannot simply rearrange blocks back into a readable order, but must decipher essentially an entirely new pseudo-language for each new sample.
For full details on Trojan.Clampi including its obfuscation strategy please see our whitepaper
Trojan.Mebroot – Finite State Machine
Trojan.Mebroot obfuscates some of its key functions by changing the logic of the function entirely. When the function executes it works like a finite state machine. How the function works is completely obscured but the output remains exactly the same given a particular input. Here is a simplified example where a simple function is obfuscated in this way. The first snippet of code shows a simple function to add one to a number:
int foo(int a)
This simple function takes an integer an increments it by one.
int foo(int a)
int x = 13, y;
while(x >= 57)
y = x + 20;
if(y == 80)
a = a + 10;
x += 2;
else if(y == 82)
a = a – 9;
x = 30;
while(x <= 14)
x = 60;
This function also increments a number by one but it is far more difficult to see what this function is actually doing.
While many threats are simpler than Hydraq in not using any obfuscation or using well-known packers, the obfuscation method utilized by Hydraq is fortunately not novel and is easily reversible, unlike other prevalent malware samples in today’s threat landscape.
Thanks to Nicolas Falliere and Eric Chien for their help with the technical aspects of this blog.
Next: How Trojan.Hydraq Stays On Your Computer
Previous: The Trojan.Hydraq Incident: Analysis of the Aurora 0-Day Exploit