As you can read in the post, they found some malware samples using FPU instructions that lead to incorrect disassembly in several debuggers and disassemblers.
I decided to write a small Python script to help us identify this trick and potentially other similar ones. The script basically tries to disassemble the first ten instructions at the entry point of an executable using Pefile and Pydasm and it will warn you if some instructions can’t be disassembled.
$ python2.7 disaep.py -i ./714472dfd11dcd8efe79d592ca990b95.exe
push byte 0xffffffff
push dword 0x490bc0
You can use the script to scan your malware repository for samples showing this behavior. Let’s see some examples:
As Microsoft says in the blog post most of the samples we have found are from either the Farfli or Zegost family.
Using this information we have created a Yara rule that can be used to detect these FPU’s at the entry point:
Finally Microsoft mentioned that they couldn’t find any mention to this trick in the underground forums but we found this post from last year that could be related:
Now you can use the script we shared to hunt for new samples and instructions.