Doqu 2.0 analysis

[Insid3Code]

Quote:

Originally Posted by gigaman

Well, signed drivers are not that surprising, there were quite a few of those already.

However, is there a sample (of the signed driver) available here? The files posted on kernelmode.info don't seem to be signed.

MD5: 92e724291056a5e30eca038ee637a23f
Certificate Serial number of Foxconn: ‎256541e204619033f8b09f9eb7c88ef8

Attached from kernelmode.info

[gigaman]

Ah, my bad, I was checking only the first batch in the beginning of the thread.
Thanks a lot.

[dyn!o]

Still wondering why the developers did not transform classic machine code into custom architecture run on custom interpreter (security of critical places).

Considering such a step the analysis we read would be nearly impossible to complete (in reasonable time)...

[gigaman]

Maybe such non-x86 blocks (or the corresponding interpreters) are more likely to trigger antivirus heuristics... so while analysis would certainly be harder, the probability of earlier detection could also be higher.

[dyn!o]

You might be right, but then they could implement at least custom virtualization (maintaining actual architecture) + stronger data encryption. Anything, which could slow-down the analysis.

[Stitch]

Quote:

Originally Posted by dyn!o

You might be right, but then they could implement at least custom virtualization (maintaining actual architecture) + stronger data encryption. Anything, which could slow-down the analysis.

Quote:

Originally Posted by gigaman

Maybe such non-x86 blocks (or the corresponding interpreters) are more likely to trigger antivirus heuristics... so while analysis would certainly be harder, the probability of earlier detection could also be higher.

Can you elaborate how this could be done by linking books/tutorials/topic about making it harder to analysis? (I'm not much but new on this area..)
Hope I would get a detailed answer.

-Stitch