Monthly Archives: March 2016

Reverse Engineering Necurs (Part 4 – IDA Pro’s Python API)

Introduction In the previous post, we had paused execution of the malware sample at a point where the malware had “unpacked” itself. We then used the .writemem WinDbg command to output the unpacked data into a file. Finally, we used

Posted in Reverse Engineering Tagged with: , ,

Reverse Engineering Necurs (Part 3 – Patching)

Introduction In the previous post, we started to step through the Necurs sample using WinDbg. We also used IDA Pro to perform static analysis of the malware sample so we could get an idea of where to set breakpoints. However,

Posted in Reverse Engineering Tagged with: , ,

Reverse Engineering Necurs (Part 2 – Unpacking)

Introduction In the previous post, we talked about using tcpdump on a VM to monitor network traffic produced by another VM infected with Necurs.  We noticed that some “weird” UDP packets were being generated after infection, and used this observation

Posted in Reverse Engineering Tagged with: , , ,

Reverse Engineering Necurs (Part 1 – Preliminaries)

A few weeks ago, a fellow analyst sent me a link to a write-up of a new peer-to-peer botnet called Necurs.  The write-up included a link to a SANS blog entry.  The blog entry included a pcap containing traffic captured from

Posted in Reverse Engineering Tagged with: , , ,