The approach to the analysis Brontok

Diposting oleh UsyL-MeL iN OnLiNe Kamis, 06 November 2008

This section is very technical and could be in-skip.

I'm not doing Black box analysis (because it has too many people who do so with the conclusion that rather inconsequential), but direct downloading disassemble Brontok. Brontok version first compiled into p-code (such as the Java bytecode) and is easy to understand. Brontok a new version using native code, so the more difficult analysis. The first version of the analysis will not be discussed.

Before I explain the process of analysis, I need to tell that has a copy brontok several different names before being processed (debug, disassemble, etc.) by different programs. Copying the goal is to make it safe for me (not to accidentally run exe files), and safe from the mistakes that the program may change Brontok a copy of which I have.

Brontok EXE file is encrypted with a program that must Mew didekrip / extract UnMeW use, but this causes the file structure changed and cause the program to analyze the executable Visual Basic, for example, Race, can not recognize again that the file is hell. Fortunately one of the tools to help analyze the files named VBDE the hell can you still little information from the file.
VBDE act

VBDE used to obtain basic information files VB

Because the files using native code, disassembler is the best IDA Pro (I use a freeware version), with the IDA Pro I can see quite a lot of things in Brontok. IDA Pro, but unfortunately can not see VTABLE Visual Basic (table method, this is very important in the program code that is compiled from a language which uses the object), and the only one the easiest way is to run Brontok.

Brontok before the first run, binary Brontok need to edit the timer to turn off (the time to 0 to set the timer never executed). Editing is done by using a Hex Editor (I use that Hexplorer free), and this requires a little guesswork to succeed. Brontok major part in the timer, so off with a timer, Brontok can be analyzed with the safe (but still dangerous).
Display Hex Editor to open when brontok

 

0 komentar:

Posting Komentar

Copyright 2009 - uSyL-MeL iN OnLiNe

Theme designed by: Ray Creations, HostingITrust.com, Raycreations.net