DIY Malware Analysis · Chapter 9 405 Figure 9.32 IDA Pro Disassembles instantmsgrs.exe, a WootBot Variant Advanced Analysis and Forensics The end of 2006 saw an explosion in spam e-mails. Security analysts agree that the vast majority of spam sent today is broadcast by huge zombie/bot armies.These are PCs (usually) that are infected with various forms of malware, allowing them to be accessed covertly and used remotely for spam distribution and other unwanted, unsuspected activities.The AV industry (and related antimalware companies) is barely coping with the amount of new malware variants being released daily, as both reactive and proactive defensive measures fail to stop the intrusions. When an incident happens in an organization, the security administrator often has to assess the impact of the incident quickly and decide what should be done with the infected machine(s). While the correct answer, unfortunately, is often to reinstall the machine from scratch, this does not prevent future infections, unless the infection vector has been determined. It usually takes hours or longer for AV companies to release definitions for new malware and days, if not weeks, to post technical documents about most common malware. And it is often the case that particular malware that has hit the organization is not widespread, in which case the technical analysis from the AV vendor may not be available at all. In cases like this, the security administrator often has to analyze the malware himself and gather as much information as possible in order to ensure that his organization's core business functions remain stable and uninterrupted. www.syngress.com