[unisog] Decompiling virus binaries

Jordan Wiens jwiens at nersp.nerdc.ufl.edu
Wed Jul 23 19:31:38 GMT 2003


Fenris might be useful as well:
http://razor.bindview.com/tools/fenris/

Can't say much how it compares to a 'real' (IDA) product, but it's at
least cheaper.

As others pointed out, that sort of task is not for the faint of heart.

-- 
Jordan Wiens
UF Network Incident Response Team
(352)392-2061

On Mon, 21 Jul 2003, Jeff Bollinger wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> We received what we believed to be a recent/(new to us) virus
> attachment, and short of running `strings` against the binary, what
> other methods/tools have y'all used to determine the contents of a virus
> binary?  I guess what I'm really asking is, do you know of any good
> de-compilers (hopefully for x86 Linux, GCC 3) that would be useful in
> this instance, or can I use an existing compiler to break the virus down
> to its source code?
>
> Thanks,
> Jeff
> - --
> Jeff Bollinger, CISSP
> University of North Carolina
> IT Security Analyst
> 105 Abernethy Hall
> mailto: jeff @unc dot edu
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQE/HAyhvoVlxVBmgsURAtoDAJ46zxmkgpqO7Uds5z96VheENS+/jQCfRRZE
> EzMDX6rgN+OWnyhmkERvAks=
> =aAXb
> -----END PGP SIGNATURE-----
>



More information about the unisog mailing list