[lukeschlather]

What exactly is the benefit of obfuscating the source language? Your hypothesis that it's written in Scheme is reasonable, but a DSL by any other name is a basket of Lisp macros. It's not a new language, but at the same time, it's kind of a Domain-specific language.

At any rate, I don't think that if it was Scheme that the goal was to obfuscate that it was written in Scheme.

[scottdw2]

See my comment below. I don't think you quite understood what I meant. I'm not saying the code was written in scheme. I'm saying there is a product that allows you to write scheme macros to manipulate a database of machine code IR derived from disassembly and then turn the modified database back into an executable.

Hiding the source language makes identifying the origin of the malware difficult. There are obvious reasons to do that.

[narag]

Hiding the source language makes identifying the origin of the malware difficult.

How so? Knowing that it was written using VC would hardly help identifying the origin.

That's not to say that you're wrong about the tool used, but I don't believe the goal was to cover their tracks, but some kind of optimization. Viruses often face space constraints.

[DEinspanjer]

I am not knowledgeable enough to say much on this topic, but I was wondering if maybe such rewriting would also serve to make it easy to mutate code to change its signature?

[lukeschlather]

That was sort of what I was getting at. The obfuscation of the source language may be correlated, but it's not the goal.