Overview
Analyze the ZZNet Worm and write a ClamAV signature that detects it
Proposal
The VBScript has ASCII art that says "ZZNet Worm", and I couldn't find any prior reporting on it. It appears to facilitate infection by registering a debugger for several processes, and appears to spread itself to USB devices.
This is from a binary created with VbsEdit, a tool that creates PEs from a given VBScript. We've written a ClamAV bytecode signature that extracts the underlying scripts from these executables, and would like to leverage that to match on the underlying malicious VBS (so, we need a signature on the script contents itself).
Technologies Involved
VBScript
Expected Difficulty
Beginner/Easy - Can be accomplished with basic RE, there is little to no obfuscation involved, there are less than 200 lines of code to analyze, and write-ups exist that walk through reversing this malware
Overview Analyze the ZZNet Worm and write a ClamAV signature that detects it
Proposal The VBScript has ASCII art that says "ZZNet Worm", and I couldn't find any prior reporting on it. It appears to facilitate infection by registering a debugger for several processes, and appears to spread itself to USB devices.
This is from a binary created with VbsEdit, a tool that creates PEs from a given VBScript. We've written a ClamAV bytecode signature that extracts the underlying scripts from these executables, and would like to leverage that to match on the underlying malicious VBS (so, we need a signature on the script contents itself).
Technologies Involved
Expected Difficulty
Technical Info PEs containing the VBScript:
7ae3b394c5aed4f4ba9b60db668b2e0ad6ba7e91fa298a9847cfd6e8a96e0d7f
Use
clamscan --debug --leave-temps <sample dir> 2>&1 | grep "bytecode: scanning extracted file"
to extract.Link to download the sample: https://malshare.com/sample.php?action=detail&hash=b3bf11613c07eb87df9ecb8a259058d5