Re: [Full-Disclosure] Which worm?

From: Wolfram Schroeder <ws@informatik.uni-bremen.de>
>2) The easiest way is to get a sample is to netcat -l -p 3127 > sample. The
>port 3127 was the original MYDOOM-backdoor port. You have to remove the
>first 5 bytes to get a working executable, I use vi for this. Many of the
>samples you get with netcat are broken - complete samples seem to have
>sizes > 99k, up to 150k, we're told. The largest one I got was 130k (may be
>a broken version of the 150k sample), many others are 104k. AV-scanners
>will sometimes identify the broken samples, sometimes not. My heuristics is
>to look at the end of the file and see if there's a list of dll's. If not,
>I consider it broken - does this make sense?

It's broken if it can't be loaded by Windows. What you should do is
double-click the worm and see if Windows can load it. If it can,
congratulations, you've got a working worm, if not, keep looking.

Or you can load the file in a debugger and if it works you shouldn't get any
errors. Then terminate the process (which hasn't started yet). If you want
to automate this you should write a simple PE tool that can check if all
bytes are present on disk.

>
>3) The samples are compressed using various EXE-compressing tools. You can
>learn about/download them at www.exetools.com. One sample I got (the 130k
>sample) has been compressed using exe32pack (writes this info into the
>executable), another one (99k) using UPX (has section names UPX0, UPX1
>etc). the next one (104k) is compessed using an unknown tool or by an
>handwritten tool. The exe32pack-packed sample expands to over 400k, the
>UPX-sample to roughly 300k code. This is huge, for a worm.

The reason for this is that a script kiddie usually doesn't know that a
bigger file is slower to upload. When he/she realizes that, he/she will
usually send smaller files.

>
>These compessors often destroy information helpful with disassembling, with
>the notable exception of UPX. If you want to have an easy to disassemble
>sample I suggest you wait for the UPX-Version.

I hope AV companies don't follow your advice.

>You can discern it by loading it into vi and look for UPX0, or download
>upx.exe and run upx -t virussample. You decompess it using the -d switch.
>
>Another question: Is there a quick way to find out which tool compressed an
>executable? A tool maybe?

PEiD is popular.

>
>4) When you have an unpacked version, you can go and look for the strings
>in the executable. The authors were helpful enough to include help texts. I
>have the theory that you should be able to get the
>host/channel/username/password for the relevant IRC-Channels from the
>executable or a network sniffer, log in using an IRC-Client and execute
>bot.die. Didn't try it, though.

Most of these IRC backdoors are generated automatically. When you've seen
one you've seen 'em all.

>
>=>>> Final question: Is there a forum for worm-disassembling wannabes? <<<=

Full Disclosure a couple of times per year.

_________________________________________________________________
MSN Toolbar provides one-click access to Hotmail from any Web page - FREE
download! http://toolbar.msn.com/go/onm00200413ave/direct/01/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Received on Thu Apr 15 19:42:07 2004