Software Reverse Engineering (SRE)

Web Supplement to Master's Thesis at San José State University

  • You are here: 
  • Home
  • Malware Identification and Monitoring Exercise

Malware Identification and Monitoring Exercise

Description of the Exercise:

Using the Windows Sysinternals suite of diagnostic tools, identify the behaviors of the Alarm Clock application that make it a software Trojan. Note any filesystem, memory, registry, or other activity that is unrelated to the program’s advertised functionality.  Note that even though the Alarm Clock application is written in Java, the bytecode has been agressively obfuscated to discourage the use of decompilation as a strategy for learning the application’s behavior.

Software for the Exercise:

Solution to the Exercise:

The Alarm Clock application is a benign software Trojan that in addition to being a rudimentary alarm clock, collects information about the Windows® installation, and randomly scans for computers on the Internet or Intranet that will respond to an ICMP ping.  The application logs all of the information it gathers into several files in a directory off of the root file system, or off of the current directory (if the root files system is not writeable). The specific information gathered by the application is as follows:

  • Registry data on the Windows® installation including the license “key”.
  • Registry data on the currently installed programs.
  • The locations of office, pdf, and general text documents.
  • IP addresses of random Internet/Intranet hosts that respond to an ICMP ping.
Malware Identification and Monitoring Exercise Solution
Figure 1. Malware Identification and Monitoring Exercise Solution

Posted on May 20th, 2009 | By:

Comments are closed.