Jul 19, 2015reverse engineering

The Faulty Precursor of Pykspa's DGA

Pyskpa is a worm that spreads over Skype. The malware has been relying on a domain generation algorithm (DGA) to contact its command and control targets since at least October 2013. Even though the C2 infrastructure seems to be long abandoned, there are still many infected clients. Virustracker,...read

Jun 20, 2015reverse engineering

Win32/Upatre.BI - Part FourPayload Format

This last article is all about the second stage payload of Upatre. The first part shows how the download handler decrypts and parses payload. The analysis leads to a description of the payload’s format. It also shows how the unpacking stub of the payload decompresses, prepares and launches the... read

Jun 16, 2015reverse engineering

Win32/Upatre.BI - Part ThreeMain Loop

This blog post analyzes the core routine of Upatre. It is covered in only one of my four parts on Upatre, because it honestly doesn’t do much. The ultimate goal of Upatre is to download second stage payload, which will do the real damage. As already touched on at the discussion of Upatre’s configurationread

Jun 14, 2015reverse engineering

Win32/Upatre.BI - Part TwoConfig

The first blog post of the series on Upatre showed how to unpack the malware. You can download the unpacked sample from malwr.com if you like to retrace my reversing steps. This second part focuses on the configuration of Upatre. The first section presents the format of the data structures used...read