Have you ever heard about the Morphex PE32 Loader? You are certainly
not alone. Even the mighty "Uncle Google” can’t find the proper results:
 all quiet on the Google front But … it definitely does exist.
Even if this is an "unknown” name, you should be concerned. Morphex
PE32 Loader is supporting the most successful and fastest growing
AutoRun worm of 2011.
AutoRun worms are responsible for roughly one out of every eight
computer infections. They are spread when an infected USB device is
plugged in, misusing the AutoRun function to start an executable file
which invites a wide array of malware into the computer. Custom malware
packers such as Morphex are essential to getting these initial files to
the intended victims.
Even though it is only February, Morphex has already climbed to the
top of the avast! Virus Lab charts. Morphex sightings – as measured by
percentage increases on a daily, weekly, and monthly level – have shot
up. Sightings of Crum cryptor, the previous leader, have fallen
substantially in the same period.
I’ve mentioned the use of custom malware packers in one of my
previous blog posts. Crum was one of them and, as mentioned, it is used
to wrap AutoRun payloads. While Crum has not disappeared from the scene,
it now has a strong competitor (or perhaps a successor?). Let’s look at
part of our continuous statistics and see how these two cryptors
changed their position.
 before the rise of Morphex  and after What’s new in Morphex? It incorporates new tricks, in addition to
several old, well-known ones such as the randomization of icons (known
from Crum) and uses the topmost layer of encryption only to encapsulate
the malicious binary, which is then unpacked into memory in its original
state. The real innovation is in its level of anti-emulation tricks.
Morphex uses callbacks bound to very obscure OpenGL objects to
control/change the code flow.
The price of this new big player in the reseller market for custom
cryptors is not known. We can only speculate whether it was written by
"Sunzer” or not. Regardless of these uncertainties over the "Origins of
the Species”, we’re continuously maintaining our emulators to find (and
defeat) all of the used tricks and we successfully detect Morphex in the
wild.
Now, when this article is written, I expect that Google will finally show at least one proper search result  . And last, but not least – a picture showing what we can see within Morphex under the layer of encryption:
| 
