During our analysis of the different malware families we sometimes stumble upon some messages inside the viruses placed there by their authors. For example, the TDSS Trojan family is known to contain random strings from “Hamlet” and from the Bible. Also there is the Koobface family which contains random sentences – mostly taken from Wikipedia articles, like in the last variant we discovered, about the Tower of London.

TDSS:

01-tdss

Koobface:

02-koobface

This is a behavior seen for a longer time already and is used by some of the malware authors – maybe to confuse the Virus Analysts, but most likely to bypass systems which use simple checksums to identify known files. Also, the Zbot/ZeuS malware authors sent us a hidden message inside a sample back in July 2008.

In the latest variants they don’t focus on any Antivirus Company but they place some hints where to create the detection pattern.

03-zbot_message

This string is located directly before the location where the encrypted body of the malware begins.

04-ida_entrypoint

It’s really interesting how the malware authors try to write different strings into the files to entertain the Virus Analysts and make them happier.