VX reversing II, sasser B

The Sasser worm from May of 2004 provides an excellent example of modern malware in a reverse engineering setting. Eduardo Labir's article for the CodeBreakers Journal is a nice tutorial on how to really get into code, analyze it, and understand what is going on.

Tools you'll want to have handy: VMware, so that you don't trash your main machine (another throwaway machine may also be used, but a virtual system is most often a handy way to keep the number of physical machines down); OllyDbg, a (free) 32-bit debugger with plenty of nice features; and IDApro, one of the best disassembler tools I can find (it's commercial, and sometimes the HT editor can do in a pinch).

The well known worm Sasser has been one of the viruses which has received more attention in the press in the latest months. It's author, an 18 years old student from Germany, after causing lots of troubles to many home users and small enterprises faces up to several years of prison. Sasser is not a well programmed virus, it's success is entirely due to the exploit it implements, which was announced by Microsoft in one of their security bulletins. In this paper, we will reverse Sasser.B - the second of its variants - showing how it works and also how to clean your computer after infection.

Source: VX reversing II, sasser B, Eduardo Labir, in the CodeBreakers Journal. Eduardo also has a nice piece entitled VX reversing I, The Basics where you may want to begin if this is new to you.

[Source:wormblog]

0 comments