Loki Posted March 10, 2008 Share Posted March 10, 2008 Nice paper by dannyquist over at offensive computing.http://www.offensivecomputing.net/?q=node/661This paper will detail the analysis methods of W32/StormWorm.gen1 and show a process injection method it uses to run malicious code in user-space. This variant loads a driver into the kernel which then injects itself into the running services.exe process. The worm then connects to a P2P network sending spam, initiating DDoS from the infected computer. This technique does not use a packer in the traditional sense but a two-stage loader to inject itself into a running process from kernel space. I will show the decoding process and methods for extracting the true malicious code from the driver executable.The pdf can be downloaded from their site. Link to comment Share on other sites More sharing options...
syk071c Posted March 11, 2008 Share Posted March 11, 2008 Geez i wish i had this info about 3 days ago when i removed it from my mates Vista on the weekend.. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now