Analysis of some botmaster's interesting SpyEye droppers. Most recent VirusTotal result is 0/42. #malware #botnet 1. Analysis 1) File size is always approx. 130 kilobytes. 2) PE section has some patterns. (Virtual address, virtual size and entropy... etc...) Packer(or crypter) is not very advanced. 3) Packer(or crypter) try to obfuscate PE section name. 4) .rsrc section's size is big, and entropy is high. It's obviously packed. 5) Packer(or crypter) try to obfuscate import table. But there are always "VirtualProtect". 6) Packer(or crypter) try to obfuscate export table, too. But there are always some patterns. 7) Most recent dropper try to anti-debug. (SetUnhandledExceptionFilter) My tool(Zero Wine Tryouts) failed to analyze its behavior. :( 2. VirusTotal results (Ordered by VT submission date) Sample 1 (3/41) http://bit.ly/c4Vs9d Sample 2 (17/42) http://bit.ly/9Arjy9 Sample 3 (26/42) http://bit.ly/d0K7b7 Sample 4 (33/42) http://bit.ly/d1ZO8b Sample 5 (0/42) http://bit.ly/bwk4pT 3. Credits Thanks to @BenKoehl who sent me a sample!