X hits on this document

337 views

0 shares

0 downloads

0 comments

114 / 120

10.1 Malware Identification and Monitoring Exercise

Using the Windows Sysinternals suite of diagnostic tools, identify the behaviors

of the Alarm Clock application that make it a software Trojan. Note any filesystem,

memory, registry, or other activity that is unrelated to the program's advertised

functionality. The Alarm Clock application is available at the following location:

Alarm Clock Java Application

indows® installer:

http://reversingproject.info/repository.php?fileID=10_1_1

Note that even though the Alarm Clock application is written in Java, the bytecode has

been aggressively obfuscated to discourage the use of decompilation as a strategy for

learning the application's behavior.

10.2 Malware Identification and Monitoring Exercise Solution

The Alarm Clock application is a benign software Trojan that in addition to being

a rudimentary alarm clock, collects information about the Windows® installation, and

randomly scans for computers on the Internet or Intranet that will respond to an ICMP

ping. The application logs all of the information it gathers into several files in a directory

off of the root filesystem, or off of the current directory (if the root filesystem is not

writeable). The specific information gathered by the application is as follows:

Registry data on the Windows® installation including the license key.

Registry data on the currently installed programs.

The locations of Microsoft Office, OpenOffice, PDF, and text documents in the

106

Document info
Document views337
Page views338
Page last viewedMon Dec 05 21:11:20 UTC 2016
Pages120
Paragraphs2913
Words25794

Comments