O'Reilly logo

Practical Malware Analysis by Andrew Honig, Michael Sikorski

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Lab 15-2 Solutions

Short Answers

  1. The URL initially requested is http://www.practicalmalwareanalysis.com/bamboo.html.

  2. The User-Agent string is generated by adding 1 to each letter and number in the hostname (Z and 9 are rotated to A and 0).

  3. The program looks for the string Bamboo:: in the page it requested.

  4. The program searches beyond the Bamboo:: string to find an additional ::, which it converts to a NULL terminator. The string in between Bamboo and the terminator is downloaded to a file named Account Summary.xls.exe and executed.

Detailed Analysis

Open the binary with IDA Pro and scroll to the main function at offset 0x00401000. We will begin with disarming this function by reading it top to bottom, fixing each countermeasure until we reach the logical ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required