Old Dominion University



Homework 8 In ClassLet us analyze Lab13-01.exe. Use PEiD to open Lab13-01.exe. Use:Use Krypto ANALyzer to see the encodings and take a screenshot (record and highlight the address of such encodings – note that we will not analyze BASE64 encoding in class – the program also uses XOR encoding that is not identified by PEiD)Open ApateDNS under C:\Documents and Settings\Test\My Documents\Tools\apateDNSand run the malware. Describe what you see. [Hints: ApateDNS is a fake local DNS server that captures the DNS request sent from the malware].Now let us see the string in IDAPro and evaluate what we can find. Can you find the URL: using string.exe? We know that there are some encryptions in the code. A simple encryption technique is the XOR encryptions. Look for non-clearing XOR (not xor eax, eax) through the whole program. Our target is something like “xor register, constant” or “xor constant, register”. Can you find anything? (Hints: use Search->Text->xor and check “Find all occurrences”; Look for “XOR register, constant”) What is the constant that the xor operation performs with? If there is a loop construct, take a screenshot of the program flow. Can you find the loop counter? (Hints: it is a variable. Is it var_4 or arg_4?)Go back from sub_401190 to the main graphic view, you will see sub_401190 is called along with some resource functions:Focus on the lpType and lpName which are the resource type and resource name. We can see the Resource Type (lpType) has value 0Ah. From the following website, can you interpret what 0Ah mean? ((v=vs.85).aspx)Let us open the program in PEview. Look for the type name you found above in Section .rsrc. You should see this: Similarly, open the executable file in WinHex Editor (under the download folder) and locate address 00007060Use your mouse to select these two lines, and then go to Edit->Modify Data -> XOR the value should be the “key” you found from IDAPro in Question 2. What do you see? (Take a screenshot)Let us go to sub_4011C9 that calls sub_4010B1. By looking at the function calls: gethostname, InternetOpenA, InternetReadFile, InternetCloseHandle and some of the labels by IDAPro such as , can you guess what the program is doing here ? Can you conclude what is the purpose of the malware? ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download