Websense.com / Security Labs / Blogs / Reversing malware with oSpy

Archived Blog

Reversing malware with oSpy

07.18.2008 - 4:45 PM

Today's blog will be about a tool called oSpy, written by Andre Vadla Ravnas. oSpy is a tool which helps in reverse-engineering windows software. To demonstrate the uses of this tool and how it helps with network traffic monitoring, I have used a random malware sample from our repository.

Inside a VMWare instance I executed the malware sample with oSpy and monitored the traffic.

ProcessExplorer shows that the malware excutable named x.exe was executed.

 Below we can see that oSpy intercept the network traffic.

Lets take a closer look on the data...
Here we can see that oSpy lets us know which network API function were involved in the network communication.

 oSpy also allows us to look at each piece of data that was sent and received over the network.

From the network analysis we can see that sample malware was trying to download a binary called 2.exe and 3.exe from a .CN website.

One of the key reasons you'd want to run oSpy as opposed to Wireshark is that oSpy is a user-land monitoring program, allowing us to monitor only certain applications as opposed to all network traffic. This way you get to see which traffic is originating from which process. Since oSpy hooks into user-API calls, it also has the nice feature of allowing us to sync API calls with the IDA Pro Disassembler.

oSpy is nice and handy tool to have in your anti-malware tool-kit.

Security Researcher: Moti Joseph

 

Bookmark This Post: