Dolphin Stadium Malware Analysis

A malicious attacker had successfully compromised the Dolphin Stadium site, placing a link to a malicious javascript file in the front page header of the site. Visitors to the site execute the script, which attempts to exploit two vulnerabilities: MS06 014 and MS07 004. If either of these exploit attempts are successful, the computer becomes infected with a malicious file. This post is going to focus on those downloaded malicious files.

The first downloaded file, "w1c.exe", is a dropper written in Visual Basic and packed with NSPack. The author compiled the binary to P-Code, which means that it uses the Visual Basic Virtual Machine to execute. Malicious authors often use this kind of compilation to slow down analysis, since it prevents direct viewing of the Assembly code. We get around this by using one of the few Visual Basic P-Code decompilers out there, making it rather easy to see what the file is doing. WebsenseŽ - Blog: Dolphin Stadium Malware Analysis

Linked by shanmuga Wednesday, 14th February 2007 8:49PM