[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Unpacking of malware, like Sasser

To: Dennis Rand <der@xxxxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] Unpacking of malware, like Sasser
From: "Gary E. Miller" <gem@xxxxxxxxxx>
Date: Sun, 2 May 2004 12:49:48 -0700 (PDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yo Dennis!

On Sun, 2 May 2004, Dennis Rand wrote:

> There has not been so much talk as i could find on discovering how to
> unpack a malware program like sasser and other viruses and worms,

The old ways still work no matter the file packer.

Load the virus up in your favorite debugger
Run the program just until it is finished unpacking itself.
Save the memory image as a core file.
Run you favorite reverse-assembler in the core file.

Depending on the skill level of you, the virus writer snd the packer writer
this could be a snap or a real PITA.

RGDS
GARY
- ---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
        gem@xxxxxxxxxx  Tel:+1(541)382-8588 Fax: +1(541)382-8676

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAlVDf8KZibdeR3qURAifhAKCDFZ/4x6ahOu9AajRDxnYEYLqfywCeN/KS
64y8Cgwz4/nJ3jjzuYsvHeI=
=LeIY
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] Unpacking of malware, like Sasser
  - From: Dennis Rand

Prev by Date: [Full-Disclosure] Unpacking of malware, like Sasser
Next by Date: [Full-Disclosure] RE: SASSER
Previous by thread: [Full-Disclosure] Unpacking of malware, like Sasser
Next by thread: [Full-Disclosure] RE: SASSER
Index(es):
- Date
- Thread