{"id":35541,"date":"2014-05-21T01:16:00","date_gmt":"2014-05-21T08:16:00","guid":{"rendered":"http:\/\/blogs.mcafee.com\/?p=35541"},"modified":"2025-06-02T23:24:35","modified_gmt":"2025-06-03T06:24:35","slug":"necurs-zbot-droppers-use-obfuscated-windows-xp-detection-bypass-automated-analysis","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/necurs-zbot-droppers-use-obfuscated-windows-xp-detection-bypass-automated-analysis\/","title":{"rendered":"Necurs, Zbot Use Obfuscated Windows XP Detection to Bypass Analysis"},"content":{"rendered":"<p><em>This blog was written by Sanchit Karve.<\/em><\/p>\n<p>McAfee Labs has recently come across a number of malware samples that drop Zbot and Necurs rootkits. These use a discreet technique to intentionally crash Windows XP. Interestingly, the malware achieves its OS awareness without using any standard Windows API functions. Instead, it relies on the differences in default register values as well as its own entry point for Windows XP and Windows 7.<\/p>\n<p>It is unclear exactly why the malware does this but it may be for one or more of the following reasons:<\/p>\n<ul>\n<li>Preventing the detection of operating system awareness by static malware analysis systems that look for\u00a0<a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ms724439(v=vs.85).aspx\" target=\"_blank\" rel=\"noopener noreferrer\">GetVersion()<\/a>\u00a0or\u00a0<a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/dn424972(v=vs.85).aspx\" target=\"_blank\" rel=\"noopener noreferrer\">Version Helper<\/a>\u00a0calls.<\/li>\n<li>Preventing behavioral analysis of samples replicated on Windows XP, which isn&#8217;t uncommon. After all, several public malware analyzers&#8211;\u00a0<a href=\"https:\/\/www.virustotal.com\/en\/file\/e2bc269ffbc76695ba4ece3869e0245351afe7c58626a332e6f3307319980d88\/analysis\/#behavioural-info\" target=\"_blank\" rel=\"noopener noreferrer\">VirusTotal<\/a>,\u00a0Anubis,\u00a0and others&#8211;use Windows XP by default. We can see that the sample fails to replicate on those systems.\u00a0You can see the result of this technique thanks to\u00a0<a href=\"https:\/\/www.joesecurity.org\/\" target=\"_blank\" rel=\"noopener noreferrer\">Joe Security&#8217;s<\/a>\u00a0<a href=\"https:\/\/www.file-analyzer.net\/analysis\/4140\" target=\"_blank\" rel=\"noopener noreferrer\">public listing<\/a>\u00a0of a sample&#8217;s execution results on both Windows XP and Windows 7, in which it&#8217;s clear that the sample replicates on Windows 7 but fails to do so on Windows XP.<\/li>\n<li>The packaged Zbot and Necurs rootkit were not designed for Windows XP.<\/li>\n<li>The malware distributors have no interest in infecting Windows XP systems.<\/li>\n<\/ul>\n<p><span style=\"line-height: 1.5em;\">The Windows XP detection method is spread out across functions to make it difficult to (automatically or manually) identify its intention. The technique depends on the default values of registers EDI and EDX as well as on the sample entry-point address, which was probably conceived using information from <\/span><a style=\"line-height: 1.5em;\" href=\"https:\/\/code.google.com\/p\/corkami\/wiki\/InitialValues\" target=\"_blank\" rel=\"noopener noreferrer\">Ange Albertini&#8217;s research on the subject<\/a><span style=\"line-height: 1.5em;\">.<\/span><\/p>\n<h2><strong>Static analysis of the anti-Windows XP approach<\/strong><\/h2>\n<p>At 0x40179C the samples push the default value of EDI as one of the arguments to an inner function.<\/p>\n<p>In the inner function, ESI is set to the value of EDI and EDI is set to zero, after which the next inner function is called.<\/p>\n<p>A hardcoded DWORD 0x6573E2BF (deceptively stored as a string) is pushed as an argument to the next inner function.<\/p>\n<p>At this stage the hardcoded DWORD is set in EAX while the value of EDI (stored in ESI) is pushed on the stack as an argument to the has_antiXPCode() function.<br \/>\nIt uses a well-known but nifty trick to fool smarter disassemblers into thinking that it&#8217;s an argument for the is_never_called() function, even though that function is in fact never called. It is actually an argument to the has_antiXPCode() function.<\/p>\n<p>After all the variables are set up, the sample is finally ready to perform the OS check.<\/p>\n<p>The samples first restore the original value of EDI (using the instruction: mov edi, esi). EDI appears to be subtracted by another value but is just an obfuscation. When executed, this value (at ECX + 0xC) is always zero and does not change the original value of EDI. ECX is then modified as follows:<\/p>\n<p style=\"padding-left: 30px;\">ECX = EAX + 0x144 + f(EDI) (where f is a function of a sequence of subtraction, right-shifts, and multiplication functions on EDI).<em><br \/>\n<\/em><\/p>\n<p>The function f itself is irrelevant and is present only to obfuscate. What is important, though, is that ECX now has a value of at least 0x6573E403 (the hardcoded constant + 0x144). This value is then assigned to EBX like so: EBX = ECX + (original_EDI_value &#8211; 4). This causes EBX to also have a large value and is necessary for the sample to crash if Windows XP is detected.<\/p>\n<p>The next bit sets the zero flag by decrementing ECX and checking if its <a href=\"https:\/\/en.wikipedia.org\/wiki\/Least_significant_bit\" target=\"_blank\" rel=\"noopener noreferrer\">least significant bit (LSB)<\/a> is set (using the instruction: test cl, 1). The hardcoded constant and the function f() is specifically chosen such that the LSB of ECX is never set, causing the zero flag to be set by the test instruction. However, just in case the numbers don&#8217;t work out, the malware author has added a sanity check to confirm that the zero flag has been set by exiting the function immediately if it isn&#8217;t.<\/p>\n<p>Finally, the sample checks if the LSB of the EDX register is set. If it is, the test instruction unsets the zero flag causing the jump at the JNZ instruction to be taken to the location that calls the maliciousCodePath() function. If it isn&#8217;t, the jump is not taken and is likely to cause an access violation when [ebx + 4] is read as EBX contains a large value (at least 0x6573E403) that is probably not accessible by the process.<\/p>\n<p>To make sense of this process, let&#8217;s look at the default values of the EDX and EDI registers on Windows XP and Windows 7 (at entry point):<\/p>\n<table border=\"0\" width=\"603\" cellspacing=\"0\" cellpadding=\"2\">\n<tbody>\n<tr>\n<td valign=\"top\" width=\"133\"><\/td>\n<td valign=\"top\" width=\"259\"><strong>Windows XP<\/strong><\/td>\n<td valign=\"top\" width=\"209\"><strong>Windows 7<\/strong><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"133\"><strong>EDX<\/strong><\/td>\n<td valign=\"top\" width=\"259\">0x7C90E4F4 (ntdll.KiFastSystemCallRet)<\/td>\n<td valign=\"top\" width=\"209\">0x0040524D (ModuleEntryPoint)<\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"133\"><strong>EDI<\/strong><\/td>\n<td valign=\"top\" width=\"259\">0x7C910208<\/td>\n<td valign=\"top\" width=\"209\">0x00000000<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2><strong>Windows XP<\/strong><\/h2>\n<p>Since the LSB of EDX is not set, the zero flag will be set by the instruction test dl, 1. This ensures that the jump to the location where the real malicious code is executed is never called and instead moves to a part of the code where the value at the address stored in EBX is read. But as EDI is set to 0x7C910208 on Windows XP, EBX eventually attempts to read the value (0xE3FB0E8E), which exists in system memory and is inaccessible from user mode, thus guaranteeing an access violation.<\/p>\n<h2><strong>Windows 7<\/strong><\/h2>\n<p>On Windows 7, EDX is always set to the entry point of the process being executed. The samples in question have been crafted such that their entry point is at an address whose LSB is set to 0x40424D. Due to this, the test instruction will unset the zero flag causing the jump to take place and execute the malicious code.<\/p>\n<p>Even though the sample uses a convoluted technique to achieve OS awareness, at its heart it simply checks the default value of EDX as demonstrated by this C program:<\/p>\n<p>When compiled with the <a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/f9t8842e.aspx\" target=\"_blank\" rel=\"noopener noreferrer\">\/ENTRY:xpcheck linker switch<\/a>, the resulting binary can detect Windows XP.<\/p>\n<p>McAfee detects these malware variants as PWSZbot-FQC. The Necurs rootkit can be removed using <a title=\"Rootkit Remover\" href=\"https:\/\/www.mcafee.com\/us\/downloads\/free-tools\/rootkitremover.aspx\">Rootkit Remover<\/a>.<\/p>\n<h2><strong>Samples that use this technique (MD5)<\/strong><\/h2>\n<p>e3399b629fcd534726739fc8792d1a2a<br \/>\n074d8bb5443cd0640fb8ec3896106baa<br \/>\n6c7cb0625df7b4a8a76168ce26cce7d1<br \/>\n220516c214afc9aa340c145937f299b4<br \/>\n2e1c10912ef4a578160414616400fca3<br \/>\na5923e1efd90be7542c779184f4a7843<br \/>\n5eda655aa0dfacf975e20b52f64073c6<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This blog was written by Sanchit Karve. McAfee Labs has recently come across a number of malware samples that drop&#8230;<\/p>\n","protected":false},"author":695,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1814,3923,180,18],"coauthors":[4136],"class_list":["post-35541","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-computer-security","tag-email-and-web-security","tag-malware","tag-network-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Necurs, Zbot Use Obfuscated Windows XP Detection to Bypass Analysis | McAfee Blog<\/title>\n<meta name=\"description\" content=\"This blog was written by Sanchit Karve. McAfee Labs has recently come across a number of malware samples that drop Zbot and Necurs rootkits. These use a\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Necurs, Zbot Use Obfuscated Windows XP Detection to Bypass Analysis | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"This blog was written by Sanchit Karve. McAfee Labs has recently come across a number of malware samples that drop Zbot and Necurs rootkits. These use a\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/necurs-zbot-droppers-use-obfuscated-windows-xp-detection-bypass-automated-analysis\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2014-05-21T08:16:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-03T06:24:35+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/wp-content\/uploads\/sanchitkarve_antixp_analysis1_thumb.png\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/necurs-zbot-droppers-use-obfuscated-windows-xp-detection-bypass-automated-analysis\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/necurs-zbot-droppers-use-obfuscated-windows-xp-detection-bypass-automated-analysis\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"Necurs, Zbot Use Obfuscated Windows XP Detection to Bypass Analysis\",\"datePublished\":\"2014-05-21T08:16:00+00:00\",\"dateModified\":\"2025-06-03T06:24:35+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/necurs-zbot-droppers-use-obfuscated-windows-xp-detection-bypass-automated-analysis\/\"},\"wordCount\":1078,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"keywords\":[\"computer security\",\"email and web security\",\"malware\",\"network security\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/necurs-zbot-droppers-use-obfuscated-windows-xp-detection-bypass-automated-analysis\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/necurs-zbot-droppers-use-obfuscated-windows-xp-detection-bypass-automated-analysis\/\",\"name\":\"Necurs, Zbot Use Obfuscated Windows XP Detection to Bypass Analysis | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"datePublished\":\"2014-05-21T08:16:00+00:00\",\"dateModified\":\"2025-06-03T06:24:35+00:00\",\"description\":\"This blog was written by Sanchit Karve. McAfee Labs has recently come across a number of malware samples that drop Zbot and Necurs rootkits. These use a\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/necurs-zbot-droppers-use-obfuscated-windows-xp-detection-bypass-automated-analysis\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/necurs-zbot-droppers-use-obfuscated-windows-xp-detection-bypass-automated-analysis\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/necurs-zbot-droppers-use-obfuscated-windows-xp-detection-bypass-automated-analysis\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Necurs, Zbot Use Obfuscated Windows XP Detection to Bypass Analysis\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Necurs, Zbot Use Obfuscated Windows XP Detection to Bypass Analysis | McAfee Blog","description":"This blog was written by Sanchit Karve. McAfee Labs has recently come across a number of malware samples that drop Zbot and Necurs rootkits. These use a","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Necurs, Zbot Use Obfuscated Windows XP Detection to Bypass Analysis | McAfee Blog","og_description":"This blog was written by Sanchit Karve. McAfee Labs has recently come across a number of malware samples that drop Zbot and Necurs rootkits. These use a","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/necurs-zbot-droppers-use-obfuscated-windows-xp-detection-bypass-automated-analysis\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2014-05-21T08:16:00+00:00","article_modified_time":"2025-06-03T06:24:35+00:00","og_image":[{"url":"https:\/\/www.mcafee.com\/wp-content\/uploads\/sanchitkarve_antixp_analysis1_thumb.png","type":"","width":"","height":""}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/necurs-zbot-droppers-use-obfuscated-windows-xp-detection-bypass-automated-analysis\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/necurs-zbot-droppers-use-obfuscated-windows-xp-detection-bypass-automated-analysis\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"Necurs, Zbot Use Obfuscated Windows XP Detection to Bypass Analysis","datePublished":"2014-05-21T08:16:00+00:00","dateModified":"2025-06-03T06:24:35+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/necurs-zbot-droppers-use-obfuscated-windows-xp-detection-bypass-automated-analysis\/"},"wordCount":1078,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"keywords":["computer security","email and web security","malware","network security"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/necurs-zbot-droppers-use-obfuscated-windows-xp-detection-bypass-automated-analysis\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/necurs-zbot-droppers-use-obfuscated-windows-xp-detection-bypass-automated-analysis\/","name":"Necurs, Zbot Use Obfuscated Windows XP Detection to Bypass Analysis | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"datePublished":"2014-05-21T08:16:00+00:00","dateModified":"2025-06-03T06:24:35+00:00","description":"This blog was written by Sanchit Karve. McAfee Labs has recently come across a number of malware samples that drop Zbot and Necurs rootkits. These use a","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/necurs-zbot-droppers-use-obfuscated-windows-xp-detection-bypass-automated-analysis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/necurs-zbot-droppers-use-obfuscated-windows-xp-detection-bypass-automated-analysis\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/necurs-zbot-droppers-use-obfuscated-windows-xp-detection-bypass-automated-analysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Necurs, Zbot Use Obfuscated Windows XP Detection to Bypass Analysis"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/35541","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=35541"}],"version-history":[{"count":3,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/35541\/revisions"}],"predecessor-version":[{"id":214994,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/35541\/revisions\/214994"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=35541"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=35541"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=35541"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=35541"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}