I get all kinds of Trojan Horses by email, and sometimes I wonder what they do. This morning I had a few extra minutes, so I decided to start taking a look at one.
First, I installed binutils and configured it with the --enable-targets=all option, because these Trojan Horses are inevitably in PE/COFF format, and I don't do this kind of thing on Windows.
Then I disassembled my most recent Trojan Horse. The executable section boils down to a mere 1781 lines of x86 assembly, so not really very large at all, with a bunch of small routines. I haven't had a chance to look too closely at it yet, but it looks like it has some obfuscated chunk of something (executable) as an embedded resource. I'll have to see if I can sort that out.
No comments:
Post a Comment