Use IDA to disassemble and analyze the binary payload of the Blaster worm.
- [Instructor] IDA is a professional-grade disassembler,…and it's probably the most popular disassembler…in the malware reverse engineering community.…It's also available as a free community addition,…IDA Pro 5, which is not as richly featured…as the commercial version.…The purpose of a disassembler is to reconstruct code…from binary form and display it as assembler coding.…If the executable contains debug information…or an associated debug file can be obtained,…then the disassembler can recover such things as…function and variable names.…
However, malware reverse engineering…rarely offers such luxuries.…Mostly the code can be recovered,…but the meaning has to be drawn out, byte by byte.…Earlier in the course, we recovered the…Blaster worm payload coding.…What we know is the external symptoms.…The code is installed through port 135…using the DCOM exploit.…Then this payload then sets up a command shell…on port 4444.…Let's now take a first look at the payload.…
I've constructed the Blaster payload…into a binary file and loaded it into IDA.…
Released
11/28/2017- Considering malware in families
- Installing and running the IRMA reverse engineering malware detection system
- Using the VxStream service
- Enumerating auto-runs
- Using netstat and Nmap to identify open connections
- Looking at processes
- Disassembling with IDA
- Unpacking files
Share this video
Embed this video
Video: Disassembling with IDA