Messages from Malware authors in Malware

During our analysis of the different malware families we sometimes stumble upon some messages inside the viruses placed there by their authors. For example, the TDSS Trojan family is known to contain random strings from “Hamlet” and from the Bible. Also there is the Koobface family which contains random sentences – mostly taken from Wikipedia articles, like in the last variant we discovered, about the Tower of London.

TDSS:

Koobface:

This is a behaviour seen for a longer time already and is used by some of the malware authors – maybe to confuse the Virus Analysts, but most likely to bypass systems which use simple checksums to identify known files. Also, the Zbot/ZeuS malware authors sent us a hidden message inside a sample back in July 2008.

In the latest variants they don’t focus on Avira or any other Antivirus Company but they place some hints where to create the detection pattern.

This string is located directly before the location where the encrypted body of the malware begins.

It’s really interesting how the malware authors try to write different strings into the files to entertain the Virus Analysts and make them happier.

Lutz Koch
Virus Researcher