Hunting for malware with undocumented instructions

July 1, 2013 | Jaime Blasco

A few days ago Microsoft Malware Protection Center published a great blog post about some undocumented instruction tricks being used by several malware families.

As you can read in the post, they found some malware samples using FPU instructions  that lead to incorrect disassembly in several debuggers and disassemblers.

I decided to write a small Python script to help us identify this trick and potentially other similar ones. The script basically tries to disassemble the first ten instructions at the entry point of an executable using Pefile and Pydasm and it will warn you if some instructions can’t be disassembled.

$ python2.7 -i ./714472dfd11dcd8efe79d592ca990b95.exe


push ebp

mov ebp,esp

push byte 0xffffffff

push dword 0x490bc0

You can use the script to scan your malware repository for samples showing this behavior. Let’s see some examples:



Unknown Opcode


Captura de pantalla 2013-06-30 a la(s) 16.15.04




Unknown Opcode


Captura de pantalla 2013-06-30 a la(s) 16.17.49




Unknown Opcode


Captura de pantalla 2013-06-30 a la(s) 16.32.30


As Microsoft says in the blog post most of the samples we have found are from either the Farfli or Zegost family.

Using this information we have created a Yara rule that can be used to detect these FPU’s at the entry point:


Captura de pantalla 2013-06-30 a la(s) 16.42.59


Finally Microsoft mentioned that they couldn’t find any mention to this trick in the underground forums but we found this post from last year that could be related:


Captura de pantalla 2013-06-30 a la(s) 16.49.31



Captura de pantalla 2013-06-30 a la(s) 16.49.25


Now you can use the script we shared to hunt for new samples and instructions.

Happy hunting!

Jaime Blasco

About the Author: Jaime Blasco

Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AT&T Cybersecurity, Jaime leads the Alien Labs Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AT&T, Jaime was Chief Scientest at AlienVault. Prior to that, he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.

Read more posts from Jaime Blasco ›


Watch a Demo ›
Get Price Free Trial