Storm Worm Process Injection Analysis Paper
Posted by jeremy on March 9th, 2008
Danny Quist from Offensive Computing has just published an outstanding write up titled "Storm Worm Process Injection from the Windows Kernel". He lays out in very great detail the analysis steps he performed on the W32/StormWorm.gen1 to show the process injection method it utilizes to execute malicious code in user-space. I think his conclusion sums up his findings quite nicely:
"The methods used by storm worm represent the latest advances in malware. The kernel payload
method is a useful mechanism to subvert analysis and make reverse engineering more difficult. The
sophistication of evasion tactics is increasing and will require further innovation to be able to maintain
automated analysis techniques. In many cases traditional packers are being replaced with simpler
encoding techniques combined with more complicated subversion methods."Danny Quist, Storm Worm Process Injection from the Windows Kernel, March 9th 2008
I don't want ruin the write up by regurgitating it here, and I also don't want to take anything from Danny's outstanding work, so go give it a read as I am sure you will enjoy it.