From Collaborative RCE Knowledge Library

Jump to: navigation, search

Malware Analysis Articles


Item name: "Skype" Trojan Analysis
Rating: 0.0 (0 votes)
Author: Nicolas Brulez                        
Home URL: http://securitylabs.websense.com/
Last updated: January 2, 2007
Version (if appl.):
Direct D/L link: http://securitylabs.websense.com/content/Blogs/2642.aspx
Description: This blogpost shows how the author reversed a malware that was spreading through Skype.
Interesting reference are the decryption and IE injection analysis part.
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration
Rating: 5.0 (1 vote)
Author: Xeno Kovah                        
Home URL: http://opensecuritytraining.info/
Last updated: June 27, 2011
Version (if appl.):
Direct D/L link: http://opensecuritytraining.info/IntroX86.html
Description: This is a 2 day class which is freely available to watch. You can also take the materials and use them to teach your own classes.

--

Intel processors have been a major force in personal computing for more than 30 years. An understanding of low level computing mechanisms used in Intel chips as taught in this course serves as a foundation upon which to better understand other hardware, as well as many technical specialties such as reverse engineering, compiler design, operating system design, code optimization, and vulnerability exploitation.

25% of the time will be spent bootstrapping knowledge of fully OS-independent aspects of Intel architecture. 50% will be spent learning Windows tools and analysis of simple programs. The final 25% of time will be spent learning Linux tools for analysis.

This class serves as a foundation for the follow on Intermediate level x86 class. It teaches the basic concepts and describes the hardware that assembly code deals with. It also goes over many of the most common assembly instructions. Although x86 has hundreds of special purpose instructions, students will be shown it is possible to read most programs by knowing only around 20-30 instructions and their variations.

The instructor-led lab work will include:

* Stepping through a small program and watching the changes to the stack at each instruction (push, pop, call, ret (return), mov)
* Stepping through a slightly more complicated program (adds lea(load effective address), add, sub)
* Understanding the correspondence between C and assembly control transfer mechanisms (e.g. goto in C == jmp in ams)
* Understanding conditional control flow and how loops are translated from C to asm(conditional jumps, jge(jump greater than or equal), jle(jump less than or equal), ja(jump above), cmp (compare), test, etc)
* Boolean logic (and, or, xor, not)
* Logical and Arithmetic bit shift instructions and the cases where each would be used (shl (logical shift left), shr (logical shift right), sal (arithmetic shift left), sar(arithmetic shift right))
* Signed and unsigned multiplication and division
* Special one instruction loops and how C functions like memset or memcpy can be implemented in one instruction plus setup (rep stos (repeat store to string), rep mov (repeat mov)
* Misc instructions like leave and nop (no operation)
* Running examples in the Visual Studio debugger on Windows and the Gnu Debugger (GDB) on Linux
* The famous "binary bomb" lab from the Carnegie Mellon University computer architecture class, which requires the student to do basic reverse engineering to progress through the different phases of the bomb giving the correct input to avoid it “blowing up”. This will be an independent activity.


Knowledge of this material is a prerequisite for future classes such as Intermediate x86, Rootkits, Exploits, and Introduction to Reverse Engineering (all offered at http://opensecuritytraining.info/Training.html)
Also listed in: Generic Malware Analysis Articles, Generic Reversing Technique Tutorials, X86 Internals Tutorials
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Practical malware analysis
Rating: 3.0 (1 vote)
Author: Kris Kendall, Chad McMillan                        
Home URL: http://www.mandiant.com/
Last updated: 2007
Version (if appl.):
Direct D/L link: http://www.blackhat.com/presentations/bh-dc-07/Kendall_McMillan/Presentation/bh-dc-07-Kendall_McMillan.pdf
Description: This PDF from BlackHat'07 is interesting cause it gets straight to the point, only essential information are written on it.
It shortly describes how to set up en environment, malware analysis on windows, difference between static and dynamic, and quick words about armored malware (packing, encryption) as well as tools to sort it out.
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: State Of Malware: Family Ties
Rating: 3.0 (1 vote)
Author: Ero Carrera & Peter Silberman                        
Home URL: http://www.mandiant.com/
Last updated: April 12, 2010
Version (if appl.):
Direct D/L link: https://media.blackhat.com/bh-eu-10/whitepapers/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-wp.pdf
Description: The two guys have been collecting some of the widest spread malware on the net, and studied them to cluster them into families and find correlations between malware from different sources and with different goals.

They introduced a graph tool, BinCrowd, from Zynamics.
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: A Journey to the Center of the Rustock.B Rootkit
Rating: 0.0 (0 votes)
Author: Frank Boldewin                        
Home URL: http://www.reconstructer.org
Last updated: January 20, 2007
Version (if appl.): 1.0
Direct D/L link: http://antirootkit.com/articles/A-Journey-to-the-Center-of-the-Rustock-B-Rootkit/index.htm
Description: "You try to look innocent, but what's behind the curtain? Whatever you hide or pretend will be detected - this is certain!" On 27th December 2006 I found a sample of the Rustock.B Rootkit at www.offensivecomputing.net, which was only sparsely analyzed at this time. I was keen to study its behaviour, as I’ve heard a lot of stories about this infamous Rootkit. Rustock included several techniques to obfuscate the driver which could be stumbling blocks for the researcher. Analyzing the binary was quite fun. Recalling the work I’ve done over the last few days, it is clear that Rustock is quite different from most other Rootkits I’ve seen in the past. It is not much because Rustock uses new techniques, but rather because it combines dozens of known tricks from other malware which makes it very effective.
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Advanced malare analysis lab
Rating: 0.0 (0 votes)
Author: Wes Brown                        
Home URL: http://www.ioactive.com/
Last updated: July 4, 2010
Version (if appl.):
Direct D/L link: http://conference.hitb.org/hitbsecconf2010ams/materials/D2T3%20-%20Wes%20Brown%20-%20Advanced%20Malware%20Analysis%20Lab.pdf
Description: Among the techniques reviewed will be memory inspection, debugging, hooking, as well as PE file examination. Techniques that malware use to avoid being inspected will be discussed along with ways to work around them. The malware workshop environment will also be walked through and each tool demonstrated so that the workshop attendee would leave with a good grasp of how and when to use them.
Also listed in: Linux Malware Analysis Articles, Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: An Analysis of the iKee.B (Duh) iphone Botnet
Rating: 0.0 (0 votes)
Author: Phillip Porras, Hassen Saidi & Vinod Yegneswaran                        
Home URL: http://mtc.sri.com
Last updated: December 14, 2009
Version (if appl.): 1.1
Direct D/L link: http://mtc.sri.com/iPhone/
Description: This article describes big steps in iKee.B analysis. This bot used to spread through jailbroken iPhone devices that had the original SSH password unchanged.
Also listed in: IPhone Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Capture, care and analysis of Malware made easy
Rating: 0.0 (0 votes)
Author: Blake McNeill                        
Home URL: http://www.linklogger.com/blog/index.php
Last updated: January 3, 2007
Version (if appl.):
Direct D/L link: http://www.linklogger.com/vm_capture.htm
Description: This article describe the process of setting up an environment with Virtual PC 2007 to capture malware on Windows. Although being quite old it is interesting to see an alternative to VMWare.



"One of the best ways to learn about something is to play with it and see what it does and how it behaves in a controlled environment. This also applies to learning about worms and viruses, but the problem with doing this is typically the computer you used to experiment with was trashed in the process and rebuilding a computer from scratch can be a huge hassle. Now if could simply drop the now infected computer in the garbage when you were done playing, and with no cost, then there would be very little preventing you from learning about malware, if you so wished."
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Code Obfuscation and Malware Detection by Abstract Interpretation
Rating: 0.0 (0 votes)
Author: Mila Dalla Preda                        
Home URL: http://profs.sci.univr.it/~dallapre/
Last updated: February 2007
Version (if appl.):
Direct D/L link: http://profs.sci.univr.it/~dallapre/MilaDallaPreda_PhD.pdf
Description: This Ph.D thesis deals with code obfuscation and malware detection focus, through a formal approach based on program semantics and abstract interpretations.
Also listed in: Generic Anti Reversing Articles, Generic Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Conficker C P2P Protocol and Implementation
Rating: 0.0 (0 votes)
Author: Phillip Porras, Hassen Saidi and Vinod Yegneswaran                        
Home URL: http://mtc.sri.com/
Last updated: September 21, 2009
Version (if appl.):
Direct D/L link: http://mtc.sri.com/Conficker/P2P/index.html
Description: This report presents a reverse engineering of the obfuscated binary code image of the Conficker C peer-to-peer (P2P) service. It implements the functions necessary to bootstrap an infected host into the Conficker P2P network through scan-based peer discovery, and allows peers to share and spawn new binary logic directly into the currently running Conficker C process. Conficker's P2P logic and implementation are dissected and presented in source code form. The report documents its thread architecture, presents the P2P message structure and exchange protocol, and describes the major functional elements of this module.

MD5 of the sample analyzed: 5e279ef7fcb58f841199e0ff55cdea8b
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Forensic discovery - Malware analysis basics
Rating: 0.0 (0 votes)
Author: Wietse Venema, Dan Farmer                        
Home URL: http://www.porcupine.org
Last updated: January 9, 2005
Version (if appl.):
Direct D/L link: http://www.porcupine.org/forensics/forensic-discovery/chapter6.html
Description: This chapter about malware analysis basics comes from a larger book about forensic discovery, (a must read) all about UNIX !
Also listed in: Linux Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Infecting the Mach-O object format
Rating: 0.0 (0 votes)
Author: Neil Archibald                        
Home URL: http://www.suresec.com
Last updated: April 8, 2007
Version (if appl.):
Direct D/L link: http://felinemenace.org/~nemo/slides/mach-o_infection.ppt
Description: Disclaimer: This document is NOT intended to be a HOW-TO guide for Apple virus writers, but rather explore the Mach-o format and illustrate some ways in which infection can occur.

Through these slides Neil Archibald (felinemenace.org) invites you in the Mach-o file format, covers native OS anti debugging techniques and universal binaries.
Also listed in: Mac OS Anti Reversing Articles, Mac OS Internals Articles, Mac OS Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Linux Improvised Userland Scheduler Virus
Rating: 0.0 (0 votes)
Author: Izik                        
Home URL: http://uninformed.org
Last updated: December 29, 2005
Version (if appl.):
Direct D/L link: http://uninformed.org/?v=3&a=6&t=txt
Description: "This paper discusses the combination of a userland scheduler and
runtime process infection for a virus. These two concepts complete
each other. The runtime process infection opens the door to invading
into other processes, and the userland scheduler provides a way to
make the injected code coexist with the original process code. This
allows the virus to remain stealthy and active inside an infected
process."
Also listed in: Linux ELF Articles, Linux Internals Articles, Linux Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Malware Analysis: Environment Design and Architecture
Rating: 0.0 (0 votes)
Author: Adrian Sanabria                        
Home URL: http://www.sans.org/
Last updated: January 18, 2007
Version (if appl.):
Direct D/L link: http://www.sans.org/reading_room/whitepapers/threats/malware_analysis_environment_design_and_artitecture_1841
Description: This academic article precisely describes the possible ways of setting up a malware analysis environment (both physical and virtualized).
Also listed in: Linux Malware Analysis Articles, Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Mass Malware Analysis: A Do-It-Yourself Kit
Rating: 0.0 (0 votes)
Author: Christian Wojner                        
Home URL: http://cert.at/
Last updated: October 14, 2009
Version (if appl.): 1.0
Direct D/L link: http://cert.at/static/downloads/papers/cert.at-mass_malware_analysis_1.0.pdf
Description: This paper outlines the relevant steps to build up a customizable automated malware analysis station by using only freely available components with the exception of the target OS (Windows XP) itself. Further a special focus lies in handling a huge amount of malware samples and the actual implementation at CERT.at. As primary goal the reader of this paper should be able to build up her own specific installation and configuration while being free in her decision which components to use.

The first part of this document will cover all the theoretical, strategic and methodological aspects. The second part is focusing on the practical aspects by diving into CERT.at's automated malware analysis station closing with an easy to follow step-by-step tutorial, how to build up CERT.at's implementation for your own use. So feel free to skip parts.
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Peacomm.C: Cracking the nutshell
Rating: 0.0 (0 votes)
Author: Frank Boldewin                        
Home URL: http://www.reconstructer.org
Last updated: September 21, 2007
Version (if appl.): 1.0
Direct D/L link: http://www.antirootkit.com/articles/eye-of-the-storm-worm/Peacomm-C-Cracking-the-nutshell.html
Description: The first variant "Peacomm.A" was detected in the mid of January 2007 and since then it has grown to one of the most successful botnets ever seen in the wild. It uses an adjusted Overnet protocol for spreading and communication. Its main intense is spamming and DDoS attacking. Also the fast-flux service
network which is being used by the criminals behind the attacks is really amazing and frightening at the same time. As its botnet activities are not the focus of this essay, I've included interesting other papers covering these topics.
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Reverse Engineering the newest Facebook invite virus
Rating: 0.0 (0 votes)
Author: Dave Paola                        
Home URL: http://davezor.posterous.com
Last updated: May 17, 2010
Version (if appl.):
Direct D/L link: http://davezor.posterous.com/reverse-engineering-the-newest-facebook-invit
Description: A friend "recommended" a page to me this morning on facebook. It's this page (DONT FOLLOW THE INSTRUCTIONS): hxxp://www.facebook.com/MindIllusion

The instructions basically have you copy and paste some javascript into your address bar. Dumb. But the javascript is fairly obfuscated and encoded with some escape sequences and hex code. Having never reverse engineered javascript like this, I decided to give it at try. Using Mozilla's Spider Monkey and some vim-foo, here are my results.
Also listed in: Javascript Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Reverse-Engineering Malware
Rating: 0.0 (0 votes)
Author: Lenny Zeltser                        
Home URL: http://zeltser.com
Last updated: 2001
Version (if appl.):
Direct D/L link: http://zeltser.com/reverse-malware-paper/
Description: This article describes each step in the analysis of IRC.SRVCP_Trojan (Symantec).
It can be completed with the following related URL.
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Reversing Malware: Analysis of the worm "Tibick.D"
Rating: 0.0 (0 votes)
Author: Daniel Schoepe                        
Home URL: http://lesco.le.funpic.de
Last updated: November 6, 2006
Version (if appl.):
Direct D/L link: http://lesco.le.funpic.de/files/articles/rev_malware1/tibick.d.html
Description: This article describes the steps and tools used in Tibick.D worm analysis:infection routine, backdoor and replication routine code explanation.
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Stealth MBR Rootkit
Rating: 0.0 (0 votes)
Author: GMER                        
Home URL: http://www.gmer.net
Last updated: January 2, 2008
Version (if appl.):
Direct D/L link: http://www2.gmer.net/mbr/
Description: At the end of 2007 stealth MBR rootkit was discovered by MR Team members (thanks to Tammy & MJ) and it looks like this way of affecting NT systems could be more common in near future if MBR stays unprotected.

"Good points" of being MBR rootkit:
full control of machine boot process-code is executed before the OS starts
rootkit does not need a file - code could exists in some sectors of the disk and it cannot be deleted as a usual file
rootkit does not need any registry entry because it is loaded by MBR code
to hide itself, rootkit needs to control only a few sectors of the disk

How MBR rootkit works :
Installer
MBR loader
Kernel patcher
Kernel driver loader
Sectors hider/protector
Kernel driver
Detection
Rootkit removal
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Stuxnet's Rootkit (MRxNet) into C++
Rating: 0.0 (0 votes)
Author: Amr Thabet                        
Home URL: http://www.amrthabet.co.cc
Last updated: January 28, 2011
Version (if appl.): 1.00
Direct D/L link: Locally archived copy
Description: This project is to convert mrxnet.sys into readable C++ source code very similar to the equivalent native code in mrxnet.sys sample .

Copyrights:
-----------
These Files (except mrxnet.sys) were created by Amr Thabet and coyrighted (c) by him

Files:
------
1.mrxnet.sys : The rootkit sample
2.mrxnet.idb : The IDA Pro database for Version 5.1
3.main.c  : The main source code of mrxnet.sys rootkit sample (created by reversing manually of mrxnet.sys with only IDA Pro)
4.FastIo.c  : The FastIoDispatch (you could ignore this part

The others are used for compiling the source code

Notes:
------
The source code is 95% similar to the real rootkit but that doesn't mean it should work exactly like mrxnet.sys as it still contain bugs and need to be fixed
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Swimming into hostile code: Gamethief.Win32.Magania
Rating: 0.0 (0 votes)
Author: Giuseppe Bonfa                        
Home URL: http://evilcodecave.blogspot.com
Last updated: August 2009
Version (if appl.):
Direct D/L link: http://www.accessroot.com/arteam/site/download.php?view.313
Description: Trojan-GameThief.Win32.Magania, according to Kaspersky naming convention, monitors the user activities trying to obtain valuable information from the affected user, especially about gaming login accounts. This long tutorial analyze this malware but is also a general document which explains how to analyze a modern nested-dolls malware.
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: TDL3 - Why so serious? Let's put a smile on that face ..
Rating: 0.0 (0 votes)
Author: Nguyễn Phố Sơn                        
Home URL: http://www.rootkit.com
Last updated: November 9, 2009
Version (if appl.):
Direct D/L link: http://www.rootkit.com/vault/thug4lif3/tdl3_analysis_paper_ed.rar
Description: TLD3/TDSS malware analysis, a good paper from rootkit.com

BEWARE - password of the archive: tdl3_analysis

TDL or TDSS family is a famous trojan variant for its effectiveness and active technical development. It contains couple compoments: a kernel-mode rootkit and user-mode DLLs which performs the trojan operation such as downloaders, blocking Avs, etc,. Since the rootkit acts as an “injector” and protector for the usermode bot binaries, almost all technical evolutions of this threat family focus on rootkit technology so as to evade AV scanners. .
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: The Molecular Virology of Lexotan32: Metamorphism Illustrated
Rating: 0.0 (0 votes)
Author: Orr                        
Home URL: http://www.antilife.org/
Last updated: August 16, 2007
Version (if appl.):
Direct D/L link: https://www.openrce.org/articles/full_view/29
Description: Orr strikes again, here is an interesting article about (another) metamorphic malware released by Vecna, on VX Heavens in 2002.
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: The Viral Darwinism of W32.Evol
Rating: 0.0 (0 votes)
Author: Orr                        
Home URL: http://www.antilife.org/
Last updated: February 6, 2007
Version (if appl.):
Direct D/L link: https://www.openrce.org/articles/full_view/27
Description: This article posted on OpenRCE, deals with Win32.Evol, a true metamoprhic engine-powered malware.
Do not miss the reversed and commented engine code (follows in related urls).
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: usb_driver.com (hhbcddropper) analysis
Rating: 0.0 (0 votes)
Author: Mike Ciavarella & Nathan Martini                        
Home URL: http://www.blackfortressindustries.com
Last updated: May 21, 2010
Version (if appl.):
Direct D/L link: http://www.blackfortressindustries.com/malware-analysis/usb-removable-media/HuJuYinFuexianning-1925CE96DB51A0CF18AA6489FA2471C3089D6E8B-8F83E88ECD1466E7482D69ABAAC9935E/hhbcddropper.pdf
Description: A very detailed analysis of this USB infector malware

1 Attachments:
2 Back Story:
3 Related To:
4 Summary of Activity:
5 Detailed Operation of Code Analysis:
5.1 autorun.inf
5.2 usb_driver.com (–¼‡‘Š•†‘Í€ŒŽ)
5.2.1 Executable Configuration
5.2.2 Embedded file/URL
5.2.3 Embedded File/URL Configuration
5.2.4 Encryption
5.2.5 Strings
5.2.6 Virtual Environment Detection
5.2.7 Fake Message Box
5.2.8 Kill Process
5.2.9 Melt Stub
5.2.10 Firewall Exception
5.2.11 Dropping Files
6 Forensic Details:
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)



Item name: Virut.A Malware Analysis Paper
Rating: 0.0 (0 votes)
Author: Amr Thabet                        
Home URL: http://amrthabet.blogspot.com/
Last updated: September 3, 2010
Version (if appl.):
Direct D/L link: Locally archived copy
Description: Virut.A Malware Analysis Paper with commented sources,the detection and disinfection of virut using Pokas x86 Emulator at:

http://sourceforge.net/projects/x86emu/files/
Also listed in: Windows Malware Analysis Articles
More details: Click here for more details, images, related URLs & comments for this item! (or to update its entry)




RSS feed Feed containing all updates and additions for this category.

RSS feed Feed containing all updates and additions for this category, including sub-categories.




No items can be added directly to this category, please rather select one of its sub-categories above to submit an item!

Views