lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: hughmann at (Hugh Mann)
Subject: Which worm?

From: Wolfram Schroeder <>
>2) The easiest way is to get a sample is to netcat -l -p 3127 > sample. The 
>port 3127 was the original MYDOOM-backdoor port. You have to remove the 
>first 5 bytes to get a working executable, I use vi for this. Many of the 
>samples you get with netcat are broken - complete samples seem to have 
>sizes > 99k, up to 150k, we're told. The largest one I got was 130k (may be 
>a broken version of the 150k sample), many others are 104k. AV-scanners 
>will sometimes identify the broken samples, sometimes not. My heuristics is 
>to look at the end of the file and see if there's a list of dll's. If not, 
>I consider it broken - does this make sense?

It's broken if it can't be loaded by Windows. What you should do is 
double-click the worm and see if Windows can load it. If it can, 
congratulations, you've got a working worm, if not, keep looking.

Or you can load the file in a debugger and if it works you shouldn't get any 
errors. Then terminate the process (which hasn't started yet). If you want 
to automate this you should write a simple PE tool that can check if all 
bytes are present on disk.

>3) The samples are compressed using various EXE-compressing tools. You can 
>learn about/download them at One sample I got (the 130k 
>sample) has been compressed using exe32pack (writes this info into the 
>executable), another one (99k) using UPX (has section names UPX0, UPX1 
>etc). the next one (104k) is compessed using an unknown tool or by an 
>handwritten tool. The exe32pack-packed sample expands to over 400k, the 
>UPX-sample to roughly 300k code. This is huge, for a worm.

The reason for this is that a script kiddie usually doesn't know that a 
bigger file is slower to upload. When he/she realizes that, he/she will 
usually send smaller files.

>These compessors often destroy information helpful with disassembling, with 
>the notable exception of UPX. If you want to have an easy to disassemble 
>sample I suggest you wait for the UPX-Version.

I hope AV companies don't follow your advice.

>You can discern it by loading it into vi and look for UPX0, or download 
>upx.exe and run upx -t virussample. You decompess it using the -d switch.
>Another question: Is there a quick way to find out which tool compressed an 
>executable? A tool maybe?

PEiD is popular.

>4) When you have an unpacked version, you can go and look for the strings 
>in the executable. The authors were helpful enough to include help texts. I 
>have the theory that you should be able to get the 
>host/channel/username/password for the relevant IRC-Channels from the 
>executable or a network sniffer, log in using an IRC-Client and execute 
>bot.die. Didn't try it, though.

Most of these IRC backdoors are generated automatically. When you've seen 
one you've seen 'em all.

>=>>> Final question: Is there a forum for worm-disassembling wannabes? <<<=

Full Disclosure a couple of times per year.

MSN Toolbar provides one-click access to Hotmail from any Web page  FREE 

Powered by blists - more mailing lists