Jump to content
Tuts 4 You

Waledac's Anti-Debugging Tricks


sirp

Recommended Posts

even more of that nasty tricks ,)

The last spreading malware version of Waledac, a notorious spamming botnet that has been taken down in a collaborative effort

lead by Microsoft earlier this year, contained some neat anti-debugging tricks in order to make reverse-engineering more difficult.

Felix Leder and I have been presenting about the approach at SIGINT 2010 in Cologne yesterday, and as the method seems to be not

publicly known yet, I will quickly describe it here as well.

Here's the Info

Link to comment
  • 2 weeks later...

as the method seems to be not publicly known yet, I will quickly describe it here as well.

The int 2e edx value has been used for a while by other malware. I suppose that no-one talked about it because it's well-understood.

However, they lost Windows 2000 compatability when they switched to that technique.

The reason why is obscure, but it's described in one of my Anti-Unpacker papers which will be published in a couple of months. :-)

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...