Peacomm.C - Cracking the Nutshell

On 22th August 2007 I received an email informing me about "New Member Confirmation", including Confirmation Number, Login-ID and Login-Password. To stay secure I should immediately change my Login info on a provided website link. So I've started investigating what surprises are awaiting people clicking on such kind of links. Next to a friendly message telling me that my download should start in some seconds, I also got a browser exploit for free, to ensure the "software package" gets really shipped. "Hey that's cool", I thought by myself. "It's like Kinder Surprise® - three in one!" Unfortunately, at this time I hadn't enough incentive for a deep analysis and so I just stored the malicious file called applet.exe in my archive for later fun with it. Last week I had enough free time to throw it into IDA and my debuggers. After approximately one hour of investigation it was clear for me that the time had come for a new research paper, as this malware disclosed several interesting techniques, especially in the rootkit area. The opponent for this paper is called "Peacomm.C" and outlines the currently latest variant of this infamous P2P malware. The security industry gave it also several other names like "Storm Worm", "Nuwar" or "Zhelatin". The first variant "Peacomm.A" was detected in the mid of January 2007 and since then it has grown to one of the most successful botnets ever seen in the wild. It uses an adjusted Overnet protocol for spreading and communication. Its main intense is spamming and DDoS attacking. Also the fast-flux service network which is being used by the criminals behind the attacks is really amazing and frightening at the same time. As its botnet activities are not the focus of this essay, I've included interesting other papers covering these topics.