Tracking down malware
by Daniel Bachfeld
Criminals increasingly attempt to camouflage the traces of their malware on the internet to keep control of a hijacked server for as long as possible. However, their paths can be retraced using special tools to identify the vulnerability the malware intends to exploit to enter a system.
Malzilla can also partially expose obfuscated code sequences without emulation, using its numerous decoder functions instead. For instance, it can automatically decode segments camouflaged via the escape function and write the result to a file. Malzilla also offers various decoding options that can be tried out manually. How and when to use these functions is demonstrated in many tutorials on the tool's project page.
The segments decoded at apomith.com reveal that the criminals try to infect systems with a PDF exploit as well as a Java exploit. The code shows that they particularly target the users of Internet Explorer, testing whether the Microsoft browser includes the ActiveX control for Adobe Reader and investigating the version of the installed control. To exploit a potential hole in Java, the apomith site downloads the jjj.jar Java archive to the computer and starts it there.