< Release of Capture-HPC 2.0 | Honeynet Project's Status Report for 2007 >

Peacomm.C / Storm Worm Analysis

I've been (unfortunately) quite silent in the last few weeks. Work kept me busy, but last Friday an important deadline passed and now I should have some more time. For now, just a quick link: Frank published a very interesting study on Peacomm.c (aka Storm Worm, Nuwar, Small.dam, and others) which focuses on reverse engineering of the actual binary. From his description:
It mainly focuses on extracting the native Peacomm.C code from the original crypted/packed code and all things that happens on this way, like: XOR + TEA decryption, TIBS unpacking, defeating Anti-Debugging code, files dropping, driver-code infection, VM-detection tricks and all the nasty things the rootkit-driver does.

It's definitely worth reading, so grab your copy of "Peacomm.C - Cracking the nutshell.zip"!

This entry was posted by Thorsten Holz on Tuesday, September 25. 2007 at 14:19. and is filed under malware. You can leave a response, or trackback from your own blog. All new comments are subject to moderation before being displayed.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

    No comments


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.