[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Which worm?

From: Wolfram Schroeder <ws@xxxxxxxxxxxxxxxxxxxxxxxx>
2) The easiest way is to get a sample is to netcat -l -p 3127 > sample. The port 3127 was the original MYDOOM-backdoor port. You have to remove the first 5 bytes to get a working executable, I use vi for this. Many of the samples you get with netcat are broken - complete samples seem to have sizes > 99k, up to 150k, we're told. The largest one I got was 130k (may be a broken version of the 150k sample), many others are 104k. AV-scanners will sometimes identify the broken samples, sometimes not. My heuristics is to look at the end of the file and see if there's a list of dll's. If not, I consider it broken - does this make sense?

It's broken if it can't be loaded by Windows. What you should do is double-click the worm and see if Windows can load it. If it can, congratulations, you've got a working worm, if not, keep looking.

Or you can load the file in a debugger and if it works you shouldn't get any errors. Then terminate the process (which hasn't started yet). If you want to automate this you should write a simple PE tool that can check if all bytes are present on disk.


3) The samples are compressed using various EXE-compressing tools. You can learn about/download them at www.exetools.com. One sample I got (the 130k sample) has been compressed using exe32pack (writes this info into the executable), another one (99k) using UPX (has section names UPX0, UPX1 etc). the next one (104k) is compessed using an unknown tool or by an handwritten tool. The exe32pack-packed sample expands to over 400k, the UPX-sample to roughly 300k code. This is huge, for a worm.

The reason for this is that a script kiddie usually doesn't know that a bigger file is slower to upload. When he/she realizes that, he/she will usually send smaller files.


These compessors often destroy information helpful with disassembling, with the notable exception of UPX. If you want to have an easy to disassemble sample I suggest you wait for the UPX-Version.

I hope AV companies don't follow your advice.

You can discern it by loading it into vi and look for UPX0, or download upx.exe and run upx -t virussample. You decompess it using the -d switch.

Another question: Is there a quick way to find out which tool compressed an executable? A tool maybe?

PEiD is popular.


4) When you have an unpacked version, you can go and look for the strings in the executable. The authors were helpful enough to include help texts. I have the theory that you should be able to get the host/channel/username/password for the relevant IRC-Channels from the executable or a network sniffer, log in using an IRC-Client and execute bot.die. Didn't try it, though.

Most of these IRC backdoors are generated automatically. When you've seen one you've seen 'em all.


=>>> Final question: Is there a forum for worm-disassembling wannabes? <<<=

Full Disclosure a couple of times per year.

_________________________________________________________________
MSN Toolbar provides one-click access to Hotmail from any Web page ? FREE download! http://toolbar.msn.com/go/onm00200413ave/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html