A virus that infects AMD64-based Windows systems uses some tricky techniques to make defensive reverse engineering more difficult, security firm Symantec said this week.
The virus, dubbed W64.Bounds, is not spreading in the wild, but was submitted as a proof of concept to antivirus researchers. The program is not easy to detect because it encrypts itself using a new algorithm and exploits a Windows feature available only on AMD64 systems to control execution, Peter Ferrie, senior antivirus researcher for Symantec, said in a post on the company's research blog.
"The AMD64 virus is both polymorphic and entrypoint obscuring," Ferrie stated in a second blog post. "The result is that it is not a simple matter to find the true start of the decryptor and to emulate from the wrong place can result in incorrect decryption."
The virus exploits legitimate Windows features that enhance performance on systems using 64-bit technology, formally known as x86-64, pioneered by Advanced Micro Devices and later adopted by Intel for the EM64T processor. The virus is not the first AMD64 virus; two years ago, a virus author released W64.Shruggle, which infected AMD64 Windows portable execution files. Another virus, dubbed W64.Rugrat, targeted the 64-bit Windows features of Intel Itanium-based systems.
A variant of the virus for 32-bit systems, dubbed W32.Bounds, uses similar techniques to hide its programmatic entrypoint on Windows systems based on 32-bit processors, according to Symantec. The company did not highlight what differences, if any, there were between the functionality of the 32-bit and 64-bit versions of the virus.
Because the virus is a proof of concept, the program was not designed to spread efficiently.
CORRECTION: The original brief did not highlight that Intel's latest processor uses the AMD64 technology and, thus, the techniques used by W64.Bounds would also work on systems using that hardware. The article was also updated to include a mention of a 32-bit version of the same virus that was created by the same author.
Posted by: Robert Lemos