RE: [Full-disclosure] Malicious Code Analysis

From: mike king (ngiles_at_hushmail.com)
Date: 08/05/05

  • Next message: Thierry Carrez: "[Full-disclosure] [ GLSA 200508-04 ] Netpbm: Arbitrary code execution in pstopnm"
    Date: Fri,  5 Aug 2005 03:04:06 -0700
    To: <full-disclosure@lists.grok.org.uk>, <m4ch3t3@gmail.com>, <pkr@csis.dk>
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Thanks for all the feedback. I have always taken the poor mans
    approach to this since its not really my job, but a fun hobby on
    the side.

    regards mike

    On Fri, 05 Aug 2005 02:49:49 -0700 Peter Kruse <pkr@csis.dk> wrote:
    >Hey,
    >
    >> These were not submitted to any AV vendors since Norton did
    >> flag them. In the past I have submitted unknown trojans/
    >> viruses like these to Symantec when clients have been owned,
    >> but what can I say they are hardly 0day more like 300 day.
    >
    >8-)
    >
    >> http://www.bitsum.com/pec2.asp
    >
    >Yes, I already have this tool in my box. Pretty useful for first
    >glance.
    >
    >> Could you share your methodology on how you go about reverse
    >> engineering/ disassembling a malicious piece of code that has
    >> had a packer ran on it?
    >
    >There are many off-the self unpackers out there that will do the
    >job just
    >fine, but lately malware writters rather modify or use
    >enhanced/hacked
    >version of popular PE-packers. Either way a compressed binary will

    >have to
    >uncompress itself using the compressor stub in order to run. In
    >order to
    >unpack look for the call that jumps from the stub to unpacked
    >code. When the
    >jmp address is located modify so the jmp goes to esi. This will
    >put the code
    >in a loop. Next procdump.
    >
    >There are plenty of good tutorials. One of these are associated
    >with IDA:
    >http://www.datarescue.com/idabase/unpack_pe/
    >
    >I hope this helps you getting started.
    >
    >Regards
    >Peter Kruse
    -----BEGIN PGP SIGNATURE-----
    Note: This signature can be verified at https://www.hushtools.com/verify
    Version: Hush 2.4

    wkYEARECAAYFAkLzNy8ACgkQUjm7xSZSd8GYjACeIoBxJOXEqi4omXslFRpJRGF7Vw0A
    n3tB9zvUITpeklmYRUG0GQN8Gxjs
    =rUI8
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: Thierry Carrez: "[Full-disclosure] [ GLSA 200508-04 ] Netpbm: Arbitrary code execution in pstopnm"