16 March 2008 22:39 GMT
Software for educational purposes! You kidding me??
Today I came across a dodgy piece of software which called itself Cryptic v2.3. This piece of malware claims to be an EXE encryptor with the main idea being it will run an encryption routine over your binary file to prevent reverse engineering. It does everything but encrypt!
When I ran Cryptic on a clean executable, it produced an encrypted file whose execution was broken. And this was not a one off case, every executable I tried to encrypt was broken. Finding this suspicious? Good :)
Out of curiosity I clicked on the “About” button and read a most amusing disclaimer:
“This software is for educational purposes only. No responsibility is held or accepted for misuse.”
I have to tell everyone out there using this “EXE Crypter” for educational purposes, don’t say the author didn’t warn you about playing foul!
We detect this malware as Troj/Crypdrop-A and two of the major dropped components were proactively detected as Mal/Emogen-Z. Troj/Crypdrop-A is a backdoor Trojan which drops more malware and attempts to contact a remote server while pretending to an “EXE Crypter”. It is also a rather nasty bugger with process monitoring to re-spawn itself if you manually kill the program.
Numaan Huq, SophosLabs Canada
