In association with heise online

25 November 2010, 15:24

Trojan spurns low-spec systems - Update

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Anti-virus software vendor F-Secure is reporting that a new version of Zeus does not infect systems with processors running at less than 2 GHz. In order to avoid early detection and make life more difficult for virus analysts, many pieces of malware try to determine whether they are in an analysis environment when executed. If a piece of malware determines that the process is being executed under the control of a debugger, it will terminate without infecting the computer.

One standard way of determining the presence of a debugger is to carry out timing analysis using the read Time Stamp Counter (RDTSC) command. On analysing a new ZBot variant, an F-Secure virus analyst discovered something unusual. If fewer than 232 timer updates occur during a 2 second program pause, the trojan assumes that the computer's speed is being reduced by a debugger and terminates immediately. But a system with a clock speed of lower than 2 GHz will fail this test even when running at full speed – with the result that the bot turns its nose up at lame duck systems. F-Secure tested the theory by unleashing the malware on an IBM T42 laptop running at 1.86 GHz – it came through unscathed. However, it's not yet clear whether this effect is deliberate or simply the result of poor maths on the part of the virus author.

Update - It seems that the F-Secure analysis wasn't quite rigorous enough. A closer look at the assembly code shows that systems with less than 2 GHz CPU clocks are not always spared, but only less likely to be infected. It depends on their exact clock frequency and the value returned in eax by the first RDTSC call.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit