Home > All, Blogs > Could cybercriminals show the entertainment industry how to do it?

Could cybercriminals show the entertainment industry how to do it?

James Wyke at SophosLabs UK has an interesting post about Zbot samples (aka the Zeus Crimeware Kit) that defy analysis.

…these Zbot samples have been crafted to ensure that they only work when executed on one specific machine and from one specific path. Any attempt to execute the sample on a different machine or from a different path will result in early termination of the malware and no impact on the target system.

James then describes how it is done, concluding

So when the malware sample is discovered on the machine and sent off for analysis it will be executed on a new machine and generate a new GUID based on different hardware and OS information, which will fail the comparison and result in a sample that does nothing, causing AV researchers to scratch their heads and wonder what’s going on.

I was just beginning to think that techniques like this could perhaps be used by rightsholders to protect their rights, when he adds

This sophisticated technique is very similar to hardware based licensing systems employed by major software companies to protect their products from piracy. But until now I had not seen the technique used to protect malware binaries from analysis.

So tell me this: if cybercriminals can target their trojans to run on one computer and one computer alone, how come the entertainment industry needs the full weight of international treaties and draconian laws to stop their files being run on more than one computer?

Blog entry

Categories: All, Blogs
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s