[unisog] Decompiling virus binaries

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Mon Jul 21 21:11:21 GMT 2003


On Mon, 21 Jul 2003 11:54:09 EDT, Jeff Bollinger <jeff01 at email.unc.edu>  said:

> We received what we believed to be a recent/(new to us) virus
> attachment, and short of running `strings` against the binary, what
> other methods/tools have y'all used to determine the contents of a virus
> binary?  I guess what I'm really asking is, do you know of any good
> de-compilers (hopefully for x86 Linux, GCC 3) that would be useful in
> this instance, or can I use an existing compiler to break the virus down
> to its source code?

strings, strace (on a sandboxed system)...

A virus attachment compiled with GCC for a Linux target?  What are the
chances *THAT* has of living in the wild?  (Note that it would have to find
an exploitable MUA, and then find enough people to send itself to...)

Now, a trojan'ed binary would be more likely.  Yell if you need help...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20030721/b7942dad/attachment-0003.bin


More information about the unisog mailing list