The infamous worm, Conficker, which surfaces in 21 November 2009 and is set to time-bomb on 1 April 2009, was literally over the media. Although studying its malware source code is the best way to fully understanding its features and impacts, unfortunately getting the source code to study sometimes are impossible. There is still has alternate way, which is through reverse engineering of the binary file. A lot of malware writers use packer to pack the malware either the packer is written by them or downloaded from internet. During the analysis of Conficker worm, MyCERT found that the worm has been compressed by a custom “run-time packer”. This section will focus on the techniques of automated unpacking Conficker worm variant B.
Useful tools:
- Ollydbg v1.10 [Download: http://www.ollydbg.de/ ]
- OllySript v1.67.3 [Download: http://odbgscript.sourceforge.net/]
- Script [Download:https://blog.honeynet.org.my/mirror/Uncompress_ConfickerB_version2.osc]
Steps:
- Copy the files “ODbgScript.dll” and “Uncompress_ConfickerB_version2.osc” into the folder OllyDbg.
- Open the OllyDbg.exe, load the binary file of Conficker variant B.
- Check the signature of Packer entry as below:
- CMP BYTE PTR SS:[ESP+8], 1
- JNZ conficker.xxxxxxxx
- Open the window of OllyScript with “Plugins” -> “ODbgScript” -> “Script Window
- Right click in window of OllyScript -> Select “Run Script” -> “Open Select to open the file “Uncompress_ConfickerB_version2.osc”, the script will auto run and unpack the binary of Conficker worm. Now the debugger OllyDbg landed at Original Entry Point (OEP) of binary file.