Recently published blog posts:
Go to the blog archive and browse all previous blog posts we have published so far.
Subscribe to the GovCERT.ch blog RSS feed to stay up to date and get notified about new blog posts.
Recently published whitepapers:
Subscribe to the whitepapers RSS feed to stay up to date and get notified about new whitepapers.
Report an incident: incidents[at]govcert{dot}chGeneral inquiries: outreach[at]govcert{dot}ch
The following email address can be considered as point of contact for FIRST members and other CERTs/CSIRTs:incidents[at]govcert{dot}ch
GovCERT.ch PGP-Key (preferred) Alternative GovCERT.ch PGP Key (for older versions of PGP without Curve25519 support) GovCERT.ch SMIME
Nymaim is active worldwide since at least 2013 and is also responsible for many infections in Switzerland. Sinkhole Data shows that Nymaim is responsible for about 2% of infected devices 1 in Switzerland that hit sinkholes the last few days. Nymaim uses powerful code obfuscation techniques. These techniques have already been discussed several times. Many approaches use code emulation. We’d like to present an approach in this paper to do so by directly using IDA’s debugger feature and IDAPython to do the same, as it might be the more generic approach in certain cases. Also, we follow a slightly different approach to actually find all the obfuscation functions, and make the deobfuscation a bit more generic. No addi tional Python modules are required.
Scripting IDA Debugger to Deobfuscate Nymaim
Published on March 3, 2017 | Filesize: 1.2 MB | Type: PDF Language: EN | Version: v1.0
Back to top
