Tag: WinDbg

Reverse Engineering Necurs (Part 2 – Unpacking)

Introduction In the previous post, we talked about using tcpdump on a VM to monitor network traffic produced by another VM infected with Necurs.  We noticed that some “weird” UDP packets were being generated after infection, and used this observation

Tagged with: , , ,

Reverse Engineering Necurs (Part 1 – Preliminaries)

A few weeks ago, a fellow analyst sent me a link to a write-up of a new peer-to-peer botnet called Necurs.  The write-up included a link to a SANS blog entry.  The blog entry included a pcap containing traffic captured from

Tagged with: , , ,