Posted March 10, 200817 yr Nice paper by dannyquist over at offensive computing.http://www.offensivecomputing.net/?q=node/661This paper will detail the analysis methods of W32/StormWorm.gen1 and show a process injection method it uses to run malicious code in user-space. This variant loads a driver into the kernel which then injects itself into the running services.exe process. The worm then connects to a P2P network sending spam, initiating DDoS from the infected computer. This technique does not use a packer in the traditional sense but a two-stage loader to inject itself into a running process from kernel space. I will show the decoding process and methods for extracting the true malicious code from the driver executable.The pdf can be downloaded from their site.
March 11, 200817 yr Geez i wish i had this info about 3 days ago when i removed it from my mates Vista on the weekend..
Create an account or sign in to comment