Thursday, May 21, 2009

another approach - trying to analyze mebroot (torpig) - part 0.6

Starting from x53d03e99cfbfaa0df3695c27b2b5f364 it was been detect a pedantic anti debugging technique (IMHO). Specifically in this case the authors has used a pushf/popf tricks. Since the pushf popf anti debugging technique it seem require the writing of a custom exception handler for handling the ONE_STEP exception, and since I don't want use this approach for a trojan that is yet fully documented on the net, I decide to start with a classical analysis tools such as filemon (sysinternals.com). The following screen shots shown the creation of two file (one .exe and one .dll) named as 31.tmp and 32.tmp:


creation of 31.tmp (.exe component)
md5: 0x4c57e1af6d0dff3a64c3f31a1646fb2a

http://www.threatexpert.com/report.aspx?md5=4c57e1af6d0dff3a64c3f31a1646fb2a



creation of 32.tmp (.dll component)
md5:0xfee2385af796a198a7822ad7d0d7ad88
http://www.threatexpert.com/report.aspx?md5=fee2385af796a198a7822ad7d0d7ad88


During analysis with fmon, it was shown that the .exe, (created and launched by spreader) component drop the .dll component. The dll, as usually, is used by svchost.exe.



No comments:

Post a Comment