Analyzing CVE-2010-0188 exploits: Context aware malware (Part 2)

...Continued from Part 1.

Advancing shellcode

I was able to extract the shellcode from the attacks in June and July. I opened the X86 code in IDA Pro and was baffled, I knew it would take time and research to figure out what the attacker was trying to accomplish. Though I could easily see that part of the code was trying to bootstrap a malicious binary. Since then I've read a paper titled "Understanding Windows Shellcode" (by skape mmiller@hick.org) which explained what our friend Pat Casey was doing, almost line by line.

Read More