From: Inode (inodemediaservice.net)
Date: Fri Apr 23 2004 - 15:03:48 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

One of the most important unpacker resource...

http://protools.anticrack.de/unpackers.htm

Inode_

Gadi Evron wrote:

>> Just interested in how AV R&D companies unpack worms with complex UPX
>> and PE
>> pack protocols.
>
>
> Myself I am not a reverse engineer for years now, so there are far more
> knowledgeable people around who can answer you, but the basic answer
> would be - depends on the packer.
>
> Some are simple scramblers, moving the EP and "jumbling the PE binary"
> in layman's terms, so you'd need to find the original EP and follow
> things from there. Some use more sophisticated ways such as obfuscation,
> anti-debugging code, anti-softice code, etc. That is when things get
> tricky.
>
> Usually there exist unpackers, or such tools are built by the researcher
> who is in need.
>
> When one does not exist, in most (uncomplicated) cases, a memory dump
> would work fine. There are many online tools to accomplish this.
>
> A third way I can think of right now is the use of an emulator. Usually
> full API emulators can be found only in AV labs for limited use. Non can
> be found for commercial use as far as I know (yet).
>
> When VX-ers pack a sample they just make the AV researcher work a bit
> harder. Usually that means 2-4 more seconds of work, so if we follow the
> concept of Security by Obscurity, they actually only harm their "cause"
> by drawing attention to themselves rather than tackle AV researchers.
>
> In rare cases it takes a bit longer then 4 seconds, and gaining a bit of
> time before a signature is out there is all the VX-ers accomplish. That
> isn't much and is actually a bad idea as I hinted above (drawing
> attention to the binary).
>
> Lately VX-ers have been using many double and triple-packing techniques.
> These don't help them much but as they learned, about half of the AV
> engines out there can't deal with that (or packed files, in any case,m
> to begin with).
>
> Which is why in many cases we see an exact duplicate of a sample only
> re-packed with a different packer, declared as a new threat, as some of
> the AV engines can't cope with it. Notable exceptions who do deal with
> this issue, each to a different level are: Kaspersky, BitDefender,
> DrWeb, Mcafee and Norton; among others.
>
>> Been trying to disect the recent Gaobot variants and getting no where
>> with
>
>
> There are 3 to 20 new Agobots coming out every day.. which ones? :)
>
>> my generic UPX-unpacker. Since this is more and more commonly used, I
>> thought I would be wise to consult the Lists.
>
>
> Generic UPX? "upx -d" should work fine. A few reasons why it might not
> is because it is not a generic UPX packed file. Maybe some tool such as
> UPXredir(ect) was used, or maybe the UPX header is broke.. You'll have
> to play with it a bit.
>
> Myself, as I already mentioned, I haven't done anything remotely similar
> in years and can hardly be called an expert, but I know a couple of guys
> who had too much experience in this, such as Nicolas Brulez, Rolf Rolles
> and Joe Stewart. Maybe one of them, or someone else, would answer your
> question more comprehensively.
>
> For generic UPX I suppose you should have no problem using a memory dump
> tool, but again - it all depends on the actual packer used.
>
> On a final note, if I mis-understood you and a sample infected you and
> you are just trying to get rid of it.. if you'd like you can
> PGP/GPG/ZIP-passwd the sample to me and I'd get back to you about what
> it is and how to get rid of it.
>
> Gadi Evron.
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]