Archive for the ‘Fun with Malware’ Category

Cadaver Worm: An Exercise in Malware Fiction

Sunday, February 10th, 2013

The discovery of a “black hole horizon” in a complete memory dump inspired this fictitious malware. There in a dump we discovered an innocuous ASCII message:

fffff880`15925010  fffff880`159250d0 "Dumping physical memory to disk:  80% ."

A little thought and we realized that this page was saved to a page file at the time when only 80% of memory were dumped. So we do not know what were in that page during the rest of the time (and would never know). I guess Cadaver Worms live there spreading from PC to PC and causing blue screens immediately upon infection to minimize discovery. They are not in crash dumps because they relocate themselves during the system dump procedure. They thaw frozen CPUs and send themselves to network. Who would suspect a computer showing a blue screen sending network packets?

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

FBI (Debugging Slang, Part 35)

Wednesday, June 27th, 2012

FBI - Fighting Bugs Inside.

Examples: I’m doing an FBI work now!

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Computer Memory Monsters (Part 1)

Wednesday, May 11th, 2011

In this series we start with our analysis of monsters in the realm of computer memory, software defects, malware, corrupt software structures and their various behaviour. Some of monsters are based on exaggerated crash dump and software trace patterns, some are based on the accumulated debugging and technical support wisdom. The first monster we present today is called Chimera and it lives in DLL Hell. It is based on a exaggerated pattern called Module Variety. When opening a 64-bit memory dump it shows several pages of modules (lm WinDbg command):

 

As the monster’s creator explained to me they used an experimental way to represent every class object as a loaded component. And it was a word processor where every paragraph, every sentence, every word and every letter was an object implemented in a separate module! The goal was to have any letter literally dance on a screen if necessary.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

MMXI

Friday, December 31st, 2010

Similar to Google GMMXIe depiction and interpretation I propose another one related to memory centuries that start from 1000 CE (M…):

MMXI

Malware Memory eXception and Injection

or

Monitoring Memory, eXceptions, and Injections

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -