

How to bypass Zeus Trojan’s self protection mechanism - officialjunk
http://int0xcc.svbtle.com/how-to-bypass-zeus-trojans-self-protection-mechanism

======
kp25
How people come up with such nice writeup? Is that by experience or by reading
books? Just out of Curiosity, I'm loving it..

Amazing Knowledge it is, Amazing Article.

~~~
conductor
This is standard level reverse engineering, nothing too advanced. So, if this
is a "tutorial" then it's for beginners, though the author uses terms like
"unpacking", "fixing the dump", "OEP" without further explanation. Anyway,
nice work.

~~~
kp25
I never really had an idea about reverse engineering, seems like it is a great
subject to dive into.

------
pmorici
How is it that this binary has all the symbols in it still? All of these
trojan functions can't be Windows API calls.

~~~
0x0
Those function names are almost certainly set in IDA by the reverse engineer
(I think it's "n" to rename a function).

~~~
pmorici
Yes, exactly, so if that is the case then hasn't the author skipped over the
most important part about the work. That being the process they went through
to identify each of these functions purpose? aka: the actual RCE work?

This is kind of a pet peeve of mine with many RCE articles. They always seem
to leave out the difficult parts. In that respect I view most of them as
bragging rather than providing much in the way of a useful tutorial or
learning material.

~~~
0x0
I'm assuming you're thinking about the functions that are named "DecodeRc4Key"
and "XorDecode" and the like? I guess a lot of it is just reading the code
(the disassembly, or the pseudo-C if your tool of choice can produce that),
and possibly compare it mentally against things you've seen before, and/or to
see how the data flows, to determine its purpose?

Also, in this article, it's more interesting to be learning about the overall
structure of the malware piece, which algorithms are employed, and a small
bonus about the c&c at the end. The author skips the usually boring details
for us and presents a summary of his findings (xor, rc4, etc).

I'm sure there are other articles around that focus more on the low level
mundane RCE work of actually identifying each subroutine, but that's not what
this article is focused on. In fact, going further in the details about that
here would have been a distraction, I think. On that note I agree the "...for
dummies" headline is a bit of a stretch, though :)

------
Tepix
Great stuff. Finally something that makes it worthwhile to take apart those
trojans.

------
n1ghtmare_
This is some very impressive work. Good job!

------
ejr
Tinsey nitpick: It's Spammers. There is no apostrophe before the plural 's'.
The graphic has it correct.

Sorry, that bothers me :-)

The rest of the article was fascinating.

~~~
SixSigma
I guess the nusances of the ten major languages spoken in the author's
homeland of Kasmhir are as well developed and that you can point out minor
nitpicks in the offical Kashmiri language of Urdu.

