Analyze Infected Host With Wireshark


Introducing to the world of Wireshark.

 Analyze unique communications to/from a bot-infected host, reassembles an IRC communication over a non-standard port, and identifies what bot is on the infected host and spot unusual DNS replies..

This analysis is carried out using WireShark, a network analysis tool formerly known as Ethereal, captures packets in real time and displays them in human-readable format. Wireshark includes filters, color-coding and other features that let you dig deep into network traffic and inspect individual packets. Continue reading “Analyze Infected Host With Wireshark” »

Reverse Engineering Storm Worm

The Storm Worm (dubbed so by the Finnish company F-Secure) is a backdoor / Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007. The worm is also known as:

  • Small.dam or Trojan-Downloader.Win32.Small.dam (F-Secure)
  • CME-711 (MITRE)
  • W32/Nuwar@MM and Downloader-BAI (specific variant) (McAfee)
  • Troj/Dorf and Mal/Dorf (Sophos)
  • Trojan.DL.Tibs.Gen!Pac13[3]
  • Trojan.Downloader-647
  • Trojan.Peacomm (Symantec)
  • TROJ_SMALL.EDW (Trend Micro)
  • Win32/Nuwar (ESET)
  • Win32/Nuwar.N@MM!CME-711 (Windows Live OneCare)
  • W32/Zhelatin (F-Secure and Kaspersky)
  • Trojan.Peed, Trojan.Tibs (BitDefender)

The Storm Worm began attacking thousands of (mostly private) computers in Europe and the United States on Friday, January 19, 2007, using an e-mail message with a subject line about a recent weather disaster, “230 dead as storm batters Europe”.[6] During the weekend there were six subsequent waves of the attack.[7] As of January 22, 2007, the Storm Worm accounted for 8% of all malware infections globally. Continue reading “Reverse Engineering Storm Worm” »

Malware Unpacking With Ollydbg


For years, malware take advantage of packers to protect themselves against reverse analysis and AV detection. Third party packers such as UPX, PECompact, Aspack, etc. were being used by malware for years to somehow evade antivirus detection and make reversing difficult . However, due to the fact that these are available tools, AV companies and reversers where able to study them and thus malwares packed with such third party packers can be easily unpacked these days. Today however, malware using a so called hacker-packer is proliferating. Unlike packers such as UPX, hacker-packer tools are not readily available. They are sold and distributed usually underground. Continue reading “Malware Unpacking With Ollydbg” »