Reverse Engineering

January 08, 2005

Malware analysis: Troj/Winser-A

Earlier this week, Lawrence Baldwin of myNetWatchman provided me with a malware binary, and it was later identified as Troj/Winser-A by Sophos. I dug into it with my usual tools, and the result is a paper:

Unixwiz.net Research: Analysis of the Troj/Winser-A Malware

I've done reverse engineering before, but have never waded into the world of IRC - this one joined a botnet - and the process was quite an eye opener for me. I had long believed that IRC is nothing but a sewer, and this recent experience has done nothing but confirm it.

Ultimately, the DNS name that the bots "phoned home" to was removed - for unknown reasons - and because it not a worm, it didn't spread very far as far as we know.

Posted at 02:12 PM in Reverse Engineering | | Comments (2) | TrackBack (0)

ABOUT STEVE

  • Steve Friedl is a software and network security consultant in Southern California. He has been a C and UNIX developer since 1981 and has an exceptionally broad background in this area. Some areas of expertise include:

    • C and C++ systems software development on the UNIX and Win32 platforms
    • Communications, including serial and TCP/IP based controllers
    • Enterprise internet security administration and configuration
    • Penetration tests, audits, and network reviews
    • Security forensics, reverse engineering, and tools development
    • General UNIX and Windows system/network administration
    • The Windows Printing System
    • Database software development
    • Technology problem solving and research
    • Technical writing and standup training

Recent Posts

Categories

Archives

Unix Wiz

Stephen J. FriedlSoftware ConsultantOrange County, CA USASteve@unixwiz.net