Kayaker
May 4th, 2009, 18:17
SANS doesn't post malware analysis articles very often, but being SANS you can always expect a certain level of quality. This is a fairly nice overall example of the general steps taken to analyse a Trojan-Downloader that is worthy of reference here.
Reverse Engineering a Windows Screensaver e-Postcard
http://www.sans.org/reading_room/whitepapers/malicious/
http://www.sans.org/reading_room/whitepapers/malicious/reverse_engineering_a_windows_"screensaver"_epostcard_33074
The malware is identified as Pushdo, which references rootkit driver pdb files in a "Siberia2" folder. Unfortunately the rk drivers themselves aren't analysed, but there is some discussion about them elsewhere:
http://www.sophos.com/blogs/sophoslabs/v/post/1564
Rootkit drivers are what intrigues me, this might be an interesting malware to explore further if a sample becomes available...
Cheers,
Kayaker
Reverse Engineering a Windows Screensaver e-Postcard
http://www.sans.org/reading_room/whitepapers/malicious/
http://www.sans.org/reading_room/whitepapers/malicious/reverse_engineering_a_windows_"screensaver"_epostcard_33074
The malware is identified as Pushdo, which references rootkit driver pdb files in a "Siberia2" folder. Unfortunately the rk drivers themselves aren't analysed, but there is some discussion about them elsewhere:
http://www.sophos.com/blogs/sophoslabs/v/post/1564
Rootkit drivers are what intrigues me, this might be an interesting malware to explore further if a sample becomes available...
Cheers,
Kayaker