Skip navigation.

Storm Unpacking

Nicolas Brulez from Websense has written a good synopsis of the unpacking process for the storm worm. From the article:

"As part of my series of blogs about custom packers, this blog presents techniques to quickly unpack the Storm Worm packer, even if the unpacked code is executed onto the heap, the code is relocated, and the Import Address Table is also on allocated memory.

Storm Worm attackers have been using many different packers, and even if their primary goal isn't to protect against reverse engineering, they have introduced various techniques to slow down analysis. Today's main trick is the execution of code onto the heap. This prevents process dumpers from working, because they dump to disk only the code loader (the actual process you are executing), and not the malicious code."

Good work Nicolas.

LordPE Rebuild Normal vs Nice vs Agressive

One thing to note about this technique is that at least for the particular binary Nicolas used, LordPE only rebuilds the dump into a working binary if the "Normal" realign rebuild option is used. If "Nice" or "Agressive" are used the resulting binary is seriously broken.

I can't seem to find any documentation on the different techniques LordPE uses to realign file. Can someone point me in the right direction?

Working binaries not necessary for analysis

How important is it for you to have a working unpacked binary though? If you have the original sample you can get the working version. The unpacked binary should then be used inside the normal sets of tools.

Static and dynamic analysis

I tend to do static analysis on the dumped binary in IDA. For this really only the IAT needs to be rebuilt. Oftentimes though I need to answer some edge-case question or figure out what data is being passed into a function. I generally turn to OllyDbg and set the appropriate breakpoints for the routines I'm looking at, run the binary, and wait.

I suppose it would be possible to just dump the unpacked version well enough that IDA understands it and then any time I need to run OllyDbg on it, break at the OEP, set the other breakpoints, and then go from there.

Is this what others do?

I'd still like to better understand LordPE and the realign dump options.

there is another one studie

there is another one studie of storm packer et tricks by franck boldewin from
and in my point of view this studies is better if you want to know more about the "tibs packer" et anti-tricks ;)

sample hash

if anyone has MD5 Hash of the sample discussed on that blog, kindly give me a copy.thnx