• 0

Need a good decompiler for malware


Question

Apparently I have a piece of 0 day malware that seems to be attaching itself to different processes on different machines, everything from not very well known exes to well known exes. I need something that will break the exe apart, find out what it is calling, and find out what exactly is embedded in it. Yes yes, millions of lines of code....I don't feel like waiting for my av company to find the issue and fix it.

Executables that comodo seems to think are communicating to ips:

pc1

googlequicksearchbox.exe 208.73.210.48

pc2

svchost.exe 208.73.210.48

server1

btmservice.exe 208.73.210.48

Info about 208.73.210.48

IP address: 208.73.210.48

Reverse DNS: [No reverse DNS entry per ns1.oversee.net.]

Reverse DNS authenticity: [unknown]

ASN: 33626

ASN Name: OVERSEE-DOT-NET

IP range connectivity: 7

Registrar (per ASN): ARIN

Country (per IP registrar): US [united States]

Country Currency: USD [united States Dollars]

Country IP Range: 208.73.128.0 to 208.73.255.255

Country fraud profile: Normal

City (per outside source): Unknown

Country (per outside source): -- []

Private (internal) IP? No

IP address registrar: whois.arin.net

Known Proxy? No

Link for WHOIS: 208.73.210.48

This is going on with multiple computers/servers and all random exes communicating...need to find what is calling the malware to run and connect.

Link to comment
Share on other sites

Recommended Posts

  • 0

malwarebytes didn't find. gmer didn't find. tdsskiller, well do I really need to go there?

Rootkit detectors that I tried....

gmer

sophos

rootkitrevealer

Softwares that I have tried (so I don't get any more try this or try that)

malwarebytes

superantispyware

combofix (why, because nothing else is finding anything useful and was hoping to find something that stands out in the logs)

avira

avast

hitman pro

symantec endpoint

eset

kaspersky

Nothing is finding this infection, nothing is hinting to its existance, but these machines are constantly trying to communicate with this. I know it is a malware site, why do you think I am asking for software that will get me deep into the exe's...not because some random dll is on my system and I can find it easily or a root kit is floating on my system somewhere and is easliy detectable/removable.

nothing really standing out at me and going here I am, which is why I think it embeded itself in a exe...going to check hashes being that I am running out of ideas. That will take forever with copy and paste.

I am not seeing anything in gmer, combofix logs, or otl.....this is really bothering me and I don't want to wipe and rebuild 100 pc's

Link to comment
Share on other sites

  • 0

Are you scanning for the rootkit while running your OS?

You need to try an offline installer burned to CD to check for rootkits. Burn it from a clean system, else the rootkit can infect the CD. Microsoft has one in beta (http://connect.microsoft.com/systemsweeper) and

Please just answer the question at hand.....yes I have done an offline and online scan. besides any pc that I attach to the network gets infected. it is a nasty one.

Link to comment
Share on other sites

  • 0

use this.

http://public.avast.com/~gmerek/aswMBR.htm

it can restore your mbr.

O_o

why do i ask.....

you know what also restores your mbr....almost everything i mentioned above. also a fixmbr in a win xp disk does it too....been there done that, I have the t-shirt. I am not trying to be a wise ass, but I asked for something very specific and am getting suggestions to which I did not ask for (which I do appreciate, but isn't necessary...this isn't my first go around with malware/viruses/rootkits).

Link to comment
Share on other sites

  • 0

u can remove it from startup on msconfig, reboot into safe mode and delete the file if appears on msconfig.. look into known places like appdata, sys32, windows... its injecting itself on a process or creating another?

u can try hijackthis to check for startup..

also for disassemble use IDA, ollydbg and a hex editor..

u can use anubis.iseclab.org to verify EXE activity

also if u can i would like a copy of these exe :)

btmservice.exe

googlequicksearchbox.exe

svchost.exe (this one might be the virus running as this proc name, just check under user name colun on taskmgr and check for the svchost running under current user name, if u find any, its ur virus cause real svchost runs only on network or local service names and never username).

Link to comment
Share on other sites

  • 0

Fyi, I don't use hijackthis....it doesn't go deep enough.

try otl and dds, doesn't give you the little check boxes that HJT gives you but gives you a ton more information of what is going on with the os. files created within 30 or whatever days you tell it, possible rootkit files, other locations, registry keys etc....not just ads, startup and browser hijacks.

once you learn how to use those tools you will stop using hjt too.

Link to comment
Share on other sites

  • 0

hjt was a example cause is a more known tool.. u mean u should use a tool like that :)

Link to comment
Share on other sites

  • 0

sc302, vs trying to decompile the infected exe - have you just captured the data it is sending to the IP. This may give you the clue you need to figure out exactly what your dealing with.

Also I would suggest you just do a binary diff of the infected exe and a known good copy of the exe to get a snip of what has been injected into it.

Also you could submit an infected exe to http://anubis.iseclab.org/?action=home

Their reports should give you good info on what its doing, etc.

Link to comment
Share on other sites

  • 0

sc302, vs trying to decompile the infected exe - have you just captured the data it is sending to the IP. This may give you the clue you need to figure out exactly what your dealing with.

Also I would suggest you just do a binary diff of the infected exe and a known good copy of the exe to get a snip of what has been injected into it.

Try submitting the exe to virustotal, it probably wont find anything but wont hurt to check. You can submit this to the guys at bleeping, they may be able to help you. I know, but there are some guys there that could probably help. However the thing is, there is a new rootkit going around that uses encryption and compression so you cant decompile it. You also can't remove or detect it (well currently). So if you have this then your only option is to format and reinstall. I believe a MS rep confirmed this a few weeks back. I've encountered it twice so far. I think I ended up trying everything I could find to just see if anything could detect it. The new generation of malware is no joke.

Link to comment
Share on other sites

  • 0

sc302, vs trying to decompile the infected exe - have you just captured the data it is sending to the IP. This may give you the clue you need to figure out exactly what your dealing with.

Also I would suggest you just do a binary diff of the infected exe and a known good copy of the exe to get a snip of what has been injected into it.

I need to find out where he put wireshark...

Link to comment
Share on other sites

  • 0

Try submitting the exe to virustotal, it probably wont find anything but wont hurt to check. You can submit this to the guys at bleeping, they may be able to help you. I know, but there are some guys there that could probably help. However the thing is, there is a new rootkit going around that uses encryption and compression so you cant decompile it. You also can't remove or detect it (well currently). So if you have this then your only option is to format and reinstall. I believe a MS rep confirmed this a few weeks back. I've encountered it twice so far. I think I ended up trying everything I could find to just see if anything could detect it. The new generation of malware is no joke.

Yea no kidding...I probably have this. Nothing is picking it up, even the tools that the helpers use aren't picking this up. Offline scans aren't picking this up. This fker is a bitch and is everywhere on this freakin network and it is spreading like wildfire.

The issue is someone got a hold of a rdp session to the server, even though they did not have admin access they had access to it and were able to run whatever they wanted on it....I hate leaving 3389 open, this was not my call or my network setup I am coming in after the fact.

Link to comment
Share on other sites

  • 0

Yea no kidding...I probably have this. Nothing is picking it up, even the tools that the helpers use aren't picking this up. Offline scans aren't picking this up. This fker is a bitch and is everywhere on this freakin network and it is spreading like wildfire.

The issue is someone got a hold of a rdp session to the server, even though they did not have admin access they had access to it and were able to run whatever they wanted on it....I hate leaving 3389 open, this was not my call or my network setup I am coming in after the fact.

Just submitting it to VirusTotal is enought actually..

AV companies look at the files sent to VT and very soon you'll start seeing it detected.

Link to comment
Share on other sites

  • 0

already submitted to my av company for verification...waiting 24 hrs......I am here now to work around the time limit they put on.

Link to comment
Share on other sites

  • 0

Yep they will let me know in 23 days or so..f that noise.

virus total says 0....

maybe comodo is wrong, but something is trying to communicate to that ip....and comodo specifically said it was that specific exe on that machine which is offline right now. O and it jumped processes....now it is a windows operating system file according to comodo on that system...really making me mad.

Link to comment
Share on other sites

  • 0

Really need to see the packet capture to get some clue to what it is, so you can find out how to fight it. What port is it trying to talk too?

Link to comment
Share on other sites

  • 0

4 Aug 08 2011 16:42:26 106023 192.168.1.144 1070 208.73.210.48 161 Deny udp src Inside:192.168.1.144/1070 dst Outside:208.73.210.48/161 by access-group "inside" [0x9685a4c, 0x0]

Looks like 161 is common....

Link to comment
Share on other sites

  • 0

yeah 161 is SNMP -- you sure that is right? Seems like pretty stupid port to try and talk to your C&C server on.. I would think every single work network on the planet would have that blocked..

Can we get a packet capture.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.