Thursday, May 14, 2009

first look - trying to analyze mebroot (torpig) - part 0.5

My submission to for md5:0x53d03e99cfbfaa0df3695c27b2b5f364 (sinowal/mebroot and i hope torpig related):

How detect

What's shown with ArmInline for 0x53d03e99cfbfaa0df3695c27b2b5f364 run by ollydbg:

It seems packed but not UPXed. It may been used Armadillo o something like. As showed there are a lot of int 3 (usually is an anti debugging technique marker)

No comments:

Post a Comment