To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ----------
Hello -- please forgive the late addition and reviving a dead thread... I just joined the mailing list and though I might be able to add some value to this thread.
<snip>
"The mere fact that the rp5.exe binary actually runs in a Windows system
means that *it* manages to decompress itself, and that somewhere in RAM
on that system there is an uncompressed version being executed."
means that *it* manages to decompress itself, and that somewhere in RAM
on that system there is an uncompressed version being executed."
</snip>
Well said... if it runs you know it can be decompressed... You've got a couple of options... my suggestion is to setup an isolated virtual machine configured with your favorite disassembler (ok, MY fav disassembler -- IDA) and get to work. Unpacking malware is far from new territory so you'll got a ton of help from various white papers and IDA plugins.
If you done some RE work before and want a quick 4 pager on unpacking check this out:
It'll introduce EPF -- an IDA plugin created to simplify the process of finding the original entry point.
Then use DumpSeg to dump the unencrypted segment for later analysis.
check this paper for a much more in depth paper (75 pages or so)
http://rozinov.sfs.poly.edu/papers/bagle_analysis_v.1.0.pdf
http://rozinov.sfs.poly.edu/papers/bagle_analysis_v.1.0.pdf
Best of luck!
Jeremy
Gadi Evron wrote:
> M45T3R S4D0W8 wrote:
<snip>
>> There are various Utilitys for making it impossable to Unpack a UPXed
>> EXE.
> Nothing is impossible. Not trying to be annoying.. just is.
The mere fact that the rp5.exe binary actually runs in a Windows system
means that *it* manages to uncompress itself, and that somewhere in RAM
on that system there is an uncompressed version being executed.
Ergo, it is perfectly possible to uncompress it. ;)
I just need to perfect how to find that uncompressed and running binary
somewhere in memory. So far my practise runs using various utilities -
the latest one being OllyDbg - have only uncovered the compressed
binary. Bah, I'm missing some Sacred Knowledge methinks.
The quicker and dirtier way of course is to snoop on the network traffic
which is being generated by the running malware, but in my opinion
additional detail could be gained from direct examination of the code.
Regards.
> M45T3R S4D0W8 wrote:
<snip>
>> There are various Utilitys for making it impossable to Unpack a UPXed
>> EXE.
> Nothing is impossible. Not trying to be annoying.. just is.
The mere fact that the rp5.exe binary actually runs in a Windows system
means that *it* manages to uncompress itself, and that somewhere in RAM
on that system there is an uncompressed version being executed.
Ergo, it is perfectly possible to uncompress it. ;)
I just need to perfect how to find that uncompressed and running binary
somewhere in memory. So far my practise runs using various utilities -
the latest one being OllyDbg - have only uncovered the compressed
binary. Bah, I'm missing some Sacred Knowledge methinks.
The quicker and dirtier way of course is to snoop on the network traffic
which is being generated by the running malware, but in my opinion
additional detail could be gained from direct examination of the code.
Regards.
_______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
