Peacomm.C / Storm Worm Analysis

Tuesday, September 25. 2007
I've been (unfortunately) quite silent in the last few weeks. Work kept me busy, but last Friday an important deadline passed and now I should have some more time. For now, just a quick link: Frank published a very interesting study on Peacomm.c (aka Storm Worm, Nuwar, Small.dam, and others) which focuses on reverse engineering of the actual binary. From his description:
It mainly focuses on extracting the native Peacomm.C code from the original crypted/packed code and all things that happens on this way, like: XOR + TEA decryption, TIBS unpacking, defeating Anti-Debugging code, files dropping, driver-code infection, VM-detection tricks and all the nasty things the rootkit-driver does.

It's definitely worth reading, so grab your copy of "Peacomm.C - Cracking the nutshell.zip"!

Posted by Thorsten Holz in malware at 14:19 | Comments (0) | Trackbacks (0)

Release of Capture-HPC 2.0

Thursday, September 13. 2007
Christian Seifert just mailed me and told me about the new release of Capture-HPC. Lots of new features are included in the release, which, hopefully, lowers the bar to get into research about malicious servers as well as expand the possibilities of the research... Here a (partial) list of specific new features:
  • support for any client application that is http protocol aware (for example, Microsoft Excel)

  • ability to automatically collect malware

  • ability to automatically collect network traffic on the client

  • ability to push exclusion lists from the Capture Server to the Capture Client

  • improved control of Internet Explorer: obtain HTML error codes; specify visitation delay after page has been retrieved; retry visitation of URLs in case of time outs or network errors, ...

  • support for plug-in architecture, that allows to create fine grained control of clients (for example, as provided for Internet Explorer), but also allows for integration of client applications that require complex interactions to retrieve content from the web ( e.g. Safari is such an application. It doesn't allow retrieval of web content by passing the URL as a parameter)

The tool and the source code are available from https://www.client-honeynet.org/creleases.html.
Posted by Thorsten Holz in honeynets at 01:20 | Comments (0) | Trackbacks (0)
(Page 1 of 1, totaling 2 entries)