How I learned Reverse Engineering with Storm presented at REcon 2008

by Pierre-marc Bureau,


Summary : The Storm Worm is a family of malware that has been present on the Internet for more than eighteen months. It has attracted quite a bit of media attention due to its huge spam campaigns and the size of its botnet. Its authors have invested much time and effort to build a strong and reliable botnet.
From a technical perspective, Storm is fascinating to analyze since it is in constant evolution. It has several unique features, such as infected computers receiving orders from their controllers via encoded peer-to-peer communication. Also, the binaries are protected with various anti-debugging and anti-emulation techniques.
Since I began following the evolution of the Storm Worm in January 2007 it has taught me about reverse engineering, browser exploitation, JavaScript obfuscation and network forensics. In this presentation, I explain how the Storm Worm authors attempt to fool emulators used by antivirus engines by doing fake API calls, show some of the binary obfuscation techniques used by this malware and how they can be bypassed. In terms of browser exploits, I will show how one decodes the obfuscated exploit code using a publicly-available JavaScript interpreter and show which vulnerabilities are being exploited.
In the second part of my presentation, I explain key features of the Storm's peer-to-peer network and how using static analysis found important information about the network: We were able to recover the key used in the network encoding routine and the hash generation routine used by the botnet controller to send commands to its botnet. With this information, we were able to create a tool to connect to Storm's network and learn more about its authors and their operations.