Archive for the ‘Malware’ Category

Reverse Engineering Perl2Exe back to Perl

August 1st, 2012 1 comment

In the August issue of the Digital Forensics Magazine (DFM) my article on reverse engineering Perl2Exe can be found. The article describes a way to recover the source code of the Perl program back from the executable created with Perl2Exe program.

Reverse Engineering PERL2EXE Back to Perl

Perl2Exe is a program which converts Perl source code to standalone Windows executable files which hide the Perl code. When a forensic investigator encounters a Perl2Exe program (for example malware) it can take a lot of effort to analyse these files. This article describes a new and easy to follow approach to recover the full Perl source code from these Perl2Exe executable files, making the analysis of these files much easier..
Perl2Exe converts the source code of the Perl script by packing it inside a single executable together with a Perl interpreter. The Perl source code is included inside the executable in encrypted form and thus it cannot easily be recovered from the executable.
In the past there have been a couple of other projects to retrieve the Perl source code from Perl2Exe executable files (see boxout 1). However, none of these projects work with the current versions of Perl and Perl2Exe. In the past couple of years there have been a number of Perl2Exe versions released (see boxout 2) and each new version seems to break the previously found solutions to recover the Perl source code.

Read more…

Getting rid of the Buma Stemra ransomware malware – Windows 7

March 9th, 2012 28 comments

Word reached me that my approach to get rid of the Buma Stemra Ransomware malware did not work on Windows 7. I initially only tested the approach on Windows XP, but I now took the time to test it on Windows 7 as well. The video below will show that the approach worked fine on Windows 7 in my test environment. While the approach is mostly the same there are some small differences.

Read more…

Getting rid of the Buma Stemra ransomware malware

March 3rd, 2012 59 comments

Since a week or so a new Dutch version of some ransomware malware is active in the Netherlands. This malware claims to be from The Buma Stemra, but of course has nothing to do with the real Buma Stemra.  The malware successfully takes over the system by replacing the start of explorer.exe with itself, so as soon as the system starts the malware will be loaded instead of the normal Windows environment. The malware further disables editing the registry, accessing the task manager and getting access to the system in any way. When infected with the malware you can not access your own system anymore, the only thing the system will do is show the screen below.

Read more…