Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

ARTeam: Introduction To Malware Techniques and Logics Part 1

Interesting low-level stuff, operating system related issues, packer/vx acrobatics, drivers and non-newbie programming in general, including win32 assembly and whatever else.
Locked
User avatar
Shub-nigurrath
Senior Member
Posts: 431
Joined: Mon May 10, 2004 2:00 pm
Location: Obscure Kadath

ARTeam: Introduction To Malware Techniques and Logics Part 1

Post by Shub-nigurrath »

Hi all,
a new tutorial from Gunther has been published on our site.
Following the great works by EvilCry, I have decided it’s time to release some of my past and present works on Malware Analysis (some of them will be coming soon). This is in the hope of igniting some interests in Malware Analysis via Reverse Engineers’ mindset.
This tutorial is written to provide a better understanding of where to find information and what is the aim of most Trojans. Their aim is simply to steal information or to act as a Bot in a Botnet. Please note that this article has been written for learning purposes and not for complex functionality. In the early days, there were many incidents where users received emails with malicious CHM (Microsoft Compiled HTML Help) and DOC (Microsoft Office Word Document) attachments containing Trojan Riler which is also known as BackDoor-BCB.
So I have decided to impart some of my knowledge on Forensics in order to complete this tutorial, writing “Introduction to Malware Techniques and Logics part 1”. The tutorial will cover different issues:
  • How to decompile .CHM files.
  • How to detect and analyse the shellcode
  • How to dump the backdoor components
  • How to discover the communication protocol
I hope that this could begin a new chapter in the ongoing series of Reverse Engineering and Forensics guides from ARTeam and spark a new interest.
available for download here:

http://www.accessroot.com/arteam/site/d ... p?view.312
(¯`·._.·[¯¨´*·~-.¸¸,.-~*´¨ Ŝħůβ¬Ňïĝµŕřāŧħ ₪¯¨´*·~-.¸¸,.-~*´¨]·._.·´¯)
There are only 10 types of people in the world: Those who understand binary, and those who don't
http://www.accessroot.com
JMI
Senior Member
Posts: 5329
Joined: Wed Apr 25, 2001 2:00 pm

Post by JMI »

Thanks as always Shub for sharing with out readers!

:yay:

Regards,
JMI
User avatar
APACHE
Posts: 11
Joined: Thu Aug 27, 2009 2:43 am
Location: Behind You

Great Job dude...!!!

Post by APACHE »

Really a great work.... it really gives an idea of malware's behaviour and very good beginners...and "ARTeam's tutorials"...no one can beat the quality...
Thanx Shub, Gunther..and.... and..... and....... "EVILCRY" :yay:

but i thnk a correction would be right (not neceessary if you guys
dont want): :D

password: infected (not "INFECTED" as given in pdf) and what is the password of <logs.zip> inside this(malware_sample_beware) pass protected archive.. :confused:
evilcry
Senior Member
Posts: 133
Joined: Mon Aug 08, 2005 1:01 am
Location: Italy
Contact:

Post by evilcry »

thank you Apache :) but the great work is done by Gunther =)

In some day I'll come with another Malware RCE paper ;)

Regards,
Evilcry
User avatar
Shub-nigurrath
Senior Member
Posts: 431
Joined: Mon May 10, 2004 2:00 pm
Location: Obscure Kadath

Post by Shub-nigurrath »

in the first page there were wrong password information to open the internal archive, I updated the tutorials online then.
(¯`·._.·[¯¨´*·~-.¸¸,.-~*´¨ Ŝħůβ¬Ňïĝµŕřāŧħ ₪¯¨´*·~-.¸¸,.-~*´¨]·._.·´¯)
There are only 10 types of people in the world: Those who understand binary, and those who don't
http://www.accessroot.com
User avatar
IndiGenus
Junior Member
Posts: 2
Joined: Sat Sep 19, 2009 8:16 pm

Post by IndiGenus »

Great tutorial for nubeez like me, thank you. :yay:

Question....I don't the the .chm or .doc files in the download package. And I cannot unzip the logs.zip file as it says the infected password is not correct.

Thanks again,
Dave
User avatar
nEINEI
Junior Member
Posts: 9
Joined: Mon Jan 12, 2009 9:57 pm

Post by nEINEI »

3ks,good
User avatar
Shub-nigurrath
Senior Member
Posts: 431
Joined: Mon May 10, 2004 2:00 pm
Location: Obscure Kadath

Post by Shub-nigurrath »

if you download again the package you'll see in the first page updated passwords. The password are two: for the first archive is "infected", for the innser zip it is "password", all smallcaps.
(¯`·._.·[¯¨´*·~-.¸¸,.-~*´¨ Ŝħůβ¬Ňïĝµŕřāŧħ ₪¯¨´*·~-.¸¸,.-~*´¨]·._.·´¯)
There are only 10 types of people in the world: Those who understand binary, and those who don't
http://www.accessroot.com
User avatar
IndiGenus
Junior Member
Posts: 2
Joined: Sat Sep 19, 2009 8:16 pm

Post by IndiGenus »

Thank you Shub-nigurrath. I thought I had re-downloaded it but I guess not.
pk.
Junior Member
Posts: 2
Joined: Thu Oct 18, 2012 8:48 am

Post by pk. »

Thank you Shub-nigurrath.
Locked