Home / malwarePDF  

Packer.Malware.NSAnti.J


First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Packer.Malware.NSAnti.J.

Explanation :

Files detected as Packer.Malware.NSAnti.J are programs that had been packed/protected with a protection system (packer/protector), NSAnti, designed by malware authors to bypass anti-virus protection and to hide malware contents.

Characteristics:

It can be recognized by the presence of 3 sections with random names and by the resources (if present) at the start of main section.

It is able to pack/protect multiple files.

For example a NSAnti packed file could contain, beside the main executable file, other executable files which will be loaded (on the fly, not written to file system, and not by usual/documented API-s and methods; manual loading the sections, resolving relocations and fixing imports) in the address space of the main unpacked file.

The required imports used by the packer are resolved in a nonstandard way via searching for the kernel32 module in memory and searching for exports names via a precomputed hash.

The packer's code is position independent (relocatable) and (usually) crypted.

Methods used to avoid detection:

It has the ability to detect virtual machines and crash under them.

It generates a lot of exceptions (anti-debugging trick).

It has polymorphic code.

It's code is morphed by inserting garbage instructions, very long (and useless) loops (making it very slow), and/or by constructing the required data in multiple steps via add/sub/xor operations, also inserting garbage calls to null functions

The polymorphic code has been changed very frequently in order to avoid detection of the packed/protected file(s) by the anti-virus products (the polymorphic code has sole purpose to avoid emulation/detection, the antidebugging tricks can't realy stop the manual debugging/tracing of the packer, hence the conclusion that this tricks are present only for stopping emulation/analysis by anti-virus products).

It has never been used for legitimate purposes.

Last update 21 November 2011

 

TOP