REBlog
October 19th, 2007, 20:57
"You got a pocket pager? What are you, a doctor?"
- Dr. Gillian Taylor, Star Trek IV
No, I'm not a doctor. I'm the Virus Analyst on-duty this week. But I am carrying around a pager (in case an important new threat comes out).
As luck would have it, one such threat came up yesterday. Dasher.C was released (thanks, Jose), and as the off-hours Analyst on-duty, it was my job to analyze it.
Dasher.C was packed with Upack, an interesting little packer. At first, I thought the sample file was corrupt, since its PE header looked all screwed up and when I loaded it into OllyDbg, OllyDbg gave an error and landed in ntdll. Before I classified it as corrupted though, I tried running it (F9 in OllyDbg). Sure enough, it ran fine.
So what was going on? Well, OllyDbg didn't like the look of the headers any more than I did, and dropped me into ntdll instead of breaking at the entry-point of the sample. Once I realized that it wasn't corrupted after all, I looked up the entry-point with a PE editor, reloaded the sample in OllyDbg and set a breakpoint on the entry-point address, and let it run. OllyDbg then hit the breakpoint at the entry-point, and I was able to trace it easily to the OEP.
What's the takeaway?
Short: No matter how corrupt something looks, always try running it before throwing it away.
Long: When dealing with Upack or similar packers, setting a breakpoint on the EP after loading the sample into OllyDbg works just fine, despite the error message and ntdll screenful.
Bonus: Quoting Star Trek IV is now considered the "cool" thing to do
http://malwareanalysis.com/CommunityServer/blogs/geffner/archive/2005/12/18/8.aspx ("http://malwareanalysis.com/CommunityServer/blogs/geffner/archive/2005/12/18/8.aspx")
- Dr. Gillian Taylor, Star Trek IV
No, I'm not a doctor. I'm the Virus Analyst on-duty this week. But I am carrying around a pager (in case an important new threat comes out).
As luck would have it, one such threat came up yesterday. Dasher.C was released (thanks, Jose), and as the off-hours Analyst on-duty, it was my job to analyze it.
Dasher.C was packed with Upack, an interesting little packer. At first, I thought the sample file was corrupt, since its PE header looked all screwed up and when I loaded it into OllyDbg, OllyDbg gave an error and landed in ntdll. Before I classified it as corrupted though, I tried running it (F9 in OllyDbg). Sure enough, it ran fine.
So what was going on? Well, OllyDbg didn't like the look of the headers any more than I did, and dropped me into ntdll instead of breaking at the entry-point of the sample. Once I realized that it wasn't corrupted after all, I looked up the entry-point with a PE editor, reloaded the sample in OllyDbg and set a breakpoint on the entry-point address, and let it run. OllyDbg then hit the breakpoint at the entry-point, and I was able to trace it easily to the OEP.
What's the takeaway?
Short: No matter how corrupt something looks, always try running it before throwing it away.
Long: When dealing with Upack or similar packers, setting a breakpoint on the EP after loading the sample into OllyDbg works just fine, despite the error message and ntdll screenful.
Bonus: Quoting Star Trek IV is now considered the "cool" thing to do
http://malwareanalysis.com/CommunityServer/blogs/geffner/archive/2005/12/18/8.aspx ("http://malwareanalysis.com/CommunityServer/blogs/geffner/archive/2005/12/18/8.aspx")
