I was asked to explain why I am interested in malware. Well – why not? Other people are collecting strange things too – coins, stamps,…
The first worm I tried to understand was the well known Loveletter. As it is just a VB Script, it is very easy to understand. Why did I read it? Well… there were enough in my mailbox and obviously it wanted to be read.
I started my analysis. Every line of code I discovered more of the ways the programmer was thinking but it was way to simple to understand. So I put it away into the ‘I will have a look at it if I am bored and got nothing better to do’-folder. and forgot about analyzing it any further just until bad things started to happen on my irc network.
The first clone flood came and about 2000 zombies conquered my network. A nightmare. So I went out for searching a solution and came across honeypots that enable me to catch those worms. That was the big deal itself. I started deploying them and harvested many malware samples which I analyzed with my limited ways. As there was no source code avaliable, it was dammed hard to find a clue. But I tried harder as I wanted to strike back against the one flooding my network.
My virus scanner behaved in a strange fashion on that files. So I began to seek help at the vendor and started submitting the samples. I came across the problem that many of my samples were damaged due to transmission problems. The solution was developing a filter system to find out the good and the bad ones. But a malware scanner does not solve my problem regarding clone floods.
The sourcecode of a bot finally gave me some hints on fighting more effectively. I am still using it as a reference book as many bots are still just clones using the basic skeleton.