Scripting IDA Debugger to Deobfuscate Nymaim

Nymaim is active worldwide since at least 2013 and is also responsible for many infections in Switzerland. Sinkhole Data shows that Nymaim is responsible for about 2% of infected devices 1 in Switzerland that hit sinkholes the last few days. Nymaim uses powerful code obfuscation techniques. These techniques have already been discussed several times. Many approaches use code emulation. We’d like to present an approach in this paper to do so by directly using IDA’s debugger feature and IDAPython to do the same, as it might be the more generic approach in certain cases. Also, we follow a slightly different approach to actually find all the obfuscation functions, and make the deobfuscation a bit more generic. No addi tional Python modules are required.

Scripting IDA Debugger to Deobfuscate Nymaim

Published on 2017-03-03 | Filesize: 1 MB | Type: PDF
Language: - EN | Version: v1.0 | Last moddified: 2017-03-03

Back to top