Inkasso Trojaner - Part 3

[Curesec Research Team <crt () curesec com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Folks,

in difference to our first assumption, the trojan was more complex than
estimated, so it took us some time to go on with the research about it.

Here you will find Part 3:
https://cureblog.de/2013/09/inkasso-trojaner-part-3/

In this report we point out how the rootkit infects a system, how it
operates and what kind of anti-reversing and anti-debugging techniques
are in place. We will use several tools:

* ExeInfo PE
* IDA Entropy Plugin
* SysInternals Suite
* IDA Pro
* Immunity Debugger

In the next report we will write more about the rootkit functionality
and the botnet itself.

If you missed the other parts find it here:
https://cureblog.de/2013/06/inkasso-trojaner-part-1/
https://cureblog.de/2013/07/inkasso-trojaner-part-2/

Cheers and Happy Reversing!
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJSNu5MAAoJEGT0/GOIxts0LeIQAKizQ3adexGOzar4drlzPyOw
gkzfRH36FqF7MHMxD4ubh536dIK44NBHM1CP3tEznovaB/8VXPz5Uo8K40Tj4P5h
qUt7mHppLbMAm23JujghrxomZ9B852/TwsI8ihBIoyM8HoJX0El1RKC6vqtPGvkY
rANbSCORPF3UIkxAwP7IujHiZUAxrzPTqa8CMrbRL0PoJpN9VWiYYFeiVbZ6UJ1h
DrD9tUPemi5kH2r5slQUHzEdQWPlZJiex/E+yiOYbmaQk+Zedof4FMuP+C+v95uT
qG0ZcsKOrLF1t/52Ro6uUVbuPRXyijBznvTrPwtyP0+Xlqm4pmIckm+azDE7HO6Q
czNrcHziPSToUJyuA7UUczPtyM1IaUE4vNT2N8yYEbwHiYjtJz4a2N8Dah0pb66M
nxXBkn1h2UDgT9jRnnsJnoq36UrBoyjYOpmoFuMIhUG0Wjne7LNTeHDrkkcwvtSK
ds4nWas/Pr8q+rEkQumKjRp06oLm2j/N0hTEpsbW3RcN9m/slD/f9lQiJ6NNATsj
v890ZCYy3T2zq5G4EGxDHDsXuHwl9lEQlNmaZVr5IC2ox7Ej0mTXZuvzKgSnh0yV
I4vkYiQ36coW5fKAzU4awIS29g7OxsKA58RDOl0nCEv6PHTOe5k0LyAd6crQhb1B
oyobpFcBf9HTNDz5gcHe
=L4bK
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/