Malware Domain List

Malware Related => Malware Analysis => Topic started by: cleanmx on February 17, 2010, 04:24:28 pm

Title: binary header M8Z ???
Post by: cleanmx on February 17, 2010, 04:24:28 pm
never seen before...

sample:
Code: [Select]
http://didbotta6.unipv.it/dokeos/main/inc/lib/formvalidator/Element/ssh_history
Title: Re: binary header M8Z ???
Post by: parody on February 18, 2010, 02:43:05 pm
I'm guessing it's a proper binary encoded. I've been finding shellcode that decodes the binary AFTER it has been downloaded by the shellcode. If you can find the exploit that links to it, load the shellcode into ollydbg and follow it and you'll see the normal download code plus a routine that decodes the binary. Normally the shellcode is a simple conditional XOR, this looks like something more maybe. If I find anything I'll post more detail.
Title: Re: binary header M8Z ???
Post by: t4L on February 18, 2010, 03:12:39 pm
The binary is simply compressed with regular compression algo which frequently used in PE packers (don't remember its name, maybe LZMA)