Results of code analysis can be very unreliable or simply wrong. “Quick statistical test of module ‘malware’ reports that its code section is either compressed, encrypted, or contains large amount of embedded data. OllyDbg immediately displayed the following warning: The first thing I did, was open up malware.exe in OllyDbg. I chose to answer this question second since if an executable is packed then there isn’t a lot of static analysis you can do until it is unpacked.
Is the malware packed? If so, how did you determine what it was? The other virtual machine is a stock Ubuntu 8 machine used only when I need a Linux platform for analysis. OllyDbg is the main application installed along with other utilities like Process Monitor, Regshot, Wireshark and PEiD. The first one is a stock Windows XP Pro machine with minimal extra software installed. I use VMWare Fusion 2.0 since this lets me take multiple snapshots and revert back to any of my previous snapshots. It consists of a MacBook with 2GB of memory running MacOSX 10.5.5. The winners still haven’t been announced because they’re still reviewing all the submissions but below is the write up that I submitted: Recently, the Northeast Ohio Information Security Forum put on a malware reverse engineering challenge.
0 kommentar(er)
