Table of Contents

Papers

shellcode emulation

Advanced Computer Networks Polymorphic Shellcode (Detection)

papers_and_news:advanced_computer_networks-polymorphic_shellcode_detection_2006_gratl.pdf
by Christoph Gratl

Analyzing Network Trafﬁc To Detect Self-Decrypting Exploit Code

http://discovery.csc.ncsu.edu/pubs/ASIACCS07a.pdf

Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for proﬁt or commercial advantage and that copies
bear this notice and the full citation on the ﬁrst page. To copy otherwise, to    
republish, to post on servers or to redistribute to lists, requires prior speciﬁc 
permission and/or a fee.
                                                                                  
ASIACCS’07, March 20-22, 2007, Singapore.
                                                                                  
Copyright 2007 ACM 1-59593-574-6/07/0003 ...$5.00

by Qinghua Zhang, Douglas S. Reeves, Peng Ning, S. Purushothaman Iyer

generic

Operation Cyberslam

http://www.reverse.net/operationcyberslam.pdf

They re just a bunch of script kiddies

Life, Love, and War in the Underground
Rob Thomas 5 November 2003
http://www.cert.pl/PDF/secure2003/thomas1.pdf

The Case for Beneficial Computer Viruses and Worms

http://csrc.nist.gov/nissc/2000/proceedings/papers/601.pdf

Understanding shellcodes

http://www.hick.org/code/skape/papers/win32-shellcode.pdf

Analyzing Worms using Compression

From: Stephanie Wehner
http://homepages.cwi.nl/~wehner/worms/

Analyzing Worms and Network Traffic using Compression

From: Stephanie Wehner
http://arxiv.org/abs/cs.CR/0504045

Entropy Based Worm and Anomaly Detection in Fast IP Networks

http://www.tik.ee.ethz.ch/~ddosvax/publications/papers/wetice05_entropy.pdf

New Fields of Applications for honeynets

papers_and_news:new_fields_of_application_for_honeynets.pdf Master Thesesis by Thorsten Holz

Bagle

Reverse Code Engineering: An In-Depth Analysis of the Bagle Virus

http://home.arcor.de/idapalace/papers/bagle_analysis_v.1.0.pdf

Dabber

LURHQ Dabber Worm Analysis

http://www.lurhq.com/dabber.html

Mydoom & Doomjuice

Attack Analysis: Observation of the Novarg/MyDoom Worm

http://www.tik.ee.ethz.ch/~ddosvax/attacks/mydoom/

MyDoom.B Worm Analysis

http://isc.sans.org/presentations/MyDoom_B_Analysis.pdf

MyDoom.C Analysis (Doomjuice)

http://www.lurhq.com/mydoom-c.html

A Brief Analysis of Bofra/MyDoom.AG/AH

http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2004-11/0249.html

Netsky

NETSKY.D MUSICAL PAYLOAD: SOUNDS FROM OUTER SPACE

http://arnold.mcdonald.free.fr/php/Main.php?p=1001

Sasser

LURHQ Sasser Worm Analysis

http://www.lurhq.com/sasser.html

Sobig

Who wrote Sobig

http://spamkings.oreilly.com/WhoWroteSobig.pdf

SQL Slammer

The spread of the Sapphire/Slammer Worm

http://www.caida.org/outreach/papers/2003/sapphire/sapphire.html

Poxdar

This Worm is mainly unknown, no real analysis yet, but as we receive that many samples from doxpar, here are some links to av vendors ‘analysis’ reports.
If you want a sample to write a better analysis, contact us.
The sample has the md5sum 17028f1eda9d3a3f7423f47bd2f525f6 , current nepenthes is able to catch the virus in no time.

AV Vendors

http://securityresponse.symantec.com/avcenter/venc/data/w32.poxdar.html
http://www.sophos.com/virusinfo/analyses/w32doxpara.html

Witty Worm

Outwitting the Witty Worm

Exploiting Underlying Structure for Detailed Reconstruction of an Internet Scale Event
http://www.cc.gatech.edu/~akumar/witty.html
http://www.cc.gatech.edu/~akumar/witty-draft.pdf

nepenthes

Development

Scene

Service

Misc