Analysis of the worm “Tibick.D”

The aim of this article is to give an introduction to the field of malware analysis. The worm dissected later in this article is neither new nor unknown and has been analyzed already. A very simple and primitive worm has been chosen to make this article most understandable especially to those who never reversed a worm before or are (relatively) new to reverse engineering.
This article might be not very interesting for advanced (malware-)reversers.
(more…)

A Closer Look at the Worm_Mimail.A

 ”A CLoser Look ato the Worm_MiMail.A” (written by C.Hornat) is  a good analysis about techniques you see used in many malware . This analysis show how these things work.
“On August 1, 2003, I encountered several emails from my email admin account informing me that my email address will be expiring and that I should read an attachment for further details. Being suspicious, I analyzed that file and the affects of it. This is a short overview of what I have found so far.”

(more…)

Hacking The Malware

This paper attempts to document an approach on how the hackers make use of the vulnerabilities to install malicious software on the vulnerable machine. A comprehensive reverse code engineered analysis of the malicious software (Win32.Qucan.a) and the various protection schemes against the worm by various security products are also discussed.

(more…)

The Science of Malware Analysis

This paper about reversing malware written by Mad_guy.
Malware . . . it’s all over. It has been successful in attracting world wide attention by infecting systems and causing damage world wide. We try as hard as we can to scan it, detect it, and monitor activities on the internet. But alas, no box is perfectly secure.
read more …
(more…)

win32 Buffer Overflow

Real Life Vuln-Dev Process of a Win32 Stack Buffer Overflow
Introduction from the paper:
Many times Sergio has been asked for writing a paper about how to code an exploit for win32, for two reasons, first because there are many papers about exploitation on *nix, but few about how to exploit on win32 world, and second because papers about win32 exploitation get very difficult to be understood by people without a good understanding of ASM, C languages. So Sergio thought that the best way to do something clear he had to write something as simple as possible, without leaving nothing to guess by the readers. Well this is what Sergio think is the easiest that he could do. And explaining the hole process of finding, debugging and exploiting a black box application. For this purpose Sergio has chosen ‘War-FTPd v1.65′ a known stack b0f bugged software, which is gonna be used in this tutorial.

(more…)