DNAScan Malicious Network Activity Reverse Engineering
December 4th, 2009. Published under My Recent Reads. No Comments.
pulled from Google Reader (click on title for original post)
Hi,
This is a paper split into two episodes, the first two can be read here
First
http://evilcodecave.blogspot.com/2009/11/dnascan-malware-analysis-from-browser.html
Second
http://evilcodecave.blogspot.com/2009/11/dnascan-malware-analysis-from-browser_15.html
In this blog post we will investigate deeply the effective functionalities of DNAScan,
that can be seen as a set of Threads that accomplish different networking functionalities like:
* Server Functionalities
* Client Functionalities
* Malicious File Exchange
* Generic Backdoor
Let’s start from the beginning of network functionalities setup, initially from the main thread is called WSAStartup used to initiate the Winsock DLL, successively is called a classical socket() and immediately after WSAIoctl