Worthy (and easy) Read re: dissection, functionality of malware w/exploits

Discussion in 'Tech Talk' started by MB-G26, Nov 5, 2004.

  1. MB-G26

    MB-G26 Canceled Lifetime Member

    Likes Received:
    Oct 9, 2001
    Missing Sharon
    No, I mean 'my' in the general sense.

    Below are excerpts (hopefully sufficiently inticing) from an informative, *and* entertainingly-written, step-by-step accounting by one of the SANS gurus who tracked, 'reverse engineered' (including decrypting) etc. some malware after it ended up on some poor smoe's brandy new computer (which was behind a NAT firewall, btw) after an ill-fated visit to just *one* malware-gifting website. The write-up takes the reader from infection inception through all the 'hows, whos, wheres, and whys'.

    IMHO, the documentation is well worth the read. 'Especially for anyone with either curiosity or occasion to wonder HOW something ended up on their machine, HOW & WHY hitherto-unknown malware independantly increases & seeks out and installs yet MORE malware, HOW the malware phones a variety of 'homes', WHAT can be behind things like homepage hijacks, browser hijacks, and so on.

    The scheme and functionality of the malware and its actions are all explained in perfectly plain English rather than eye-glazing geekspeak. I just came across it today, but the earlier "Parts" are linked to the text excerpted below and thus available for anyone that wants to start at the saga's beginning. I mungedfrom the original text, website & domain names, and IP numbers, liberally and intentionally. If nothing else, and IE user might want to review the original write-up and harvest the malware domains into the "Restricted" zone (assuming the settings in that zone are correctly neutered.)


    PS. IMO, the documented malware experience of 'Joe' ought to nudge in the ribs any computer user that (a) disregards the need to appropriately patch, (b) disregards the need to have the security settings in IE appropriately adjusted to DISallow things like "install on demand" and so on, and/or (c) takes at face value the actual intent behind some piece of software that claims to or implies that it is actually an "anti" spyware application - just 'cause it 'says so' or is misleadingly named.