I need the peacomm binary for some analysis. Fairly new stuff, released end of Jan called "Trojan.Peacomm" by symantec. Thanks!
Some days ago researchers declared an alert for Microsoft Windows Cursor and Icon(.ANI) zero day vulnerability . now they declared an alert for a new worm .
Metasploit is pleased to announce the immediate free availability of the Metasploit Framework version 3.0 from http://framework.metasploit.com/.
"The botnet operator behind the virulent Nirbot Trojan is having a field day taunting anti-virus researchers.
While it is common to find messages and shout-outs buried in virus code, the person(s) behind Nirbot is rather talkative, leaving hostile threates directed at specific individuals, a strange apology for something involving "hospital computers" and even a mock CNN interview that discusses the bot's intent."
IrnBot is getting more personal it seems.
The bot does the following depending what server its on:
JOIN ##OC hellovalsmit
I guess he's a fan of the site? Why not contribute positively here instead of making a bunch of negative malware?
You'll notice the irc channel name is #OC and the leet speak spelling of OffensiveComputing.
I guess the malware author is a fan of our site? :) Or maybe we will see an Anti Offensive Computing Rant similar to the symantec / cnn one ?
This is a cheatsheet to WinDbg from Microsoft. Thanks to the Metasploit for writing this.
A generous user provided us with the rinbot / delbot sample. However our scans show it as vanbot.
AntiVir 188.8.131.52 03.02.2007 BDS/VanBot.AY.10
Authentium 4.93.8 03.04.2007 W32/Backdoor.AGKF
Avast 4.7.936.0 03.03.2007 no virus found
AVG 184.108.40.2067 03.03.2007 Win32/CryptExe
BitDefender 7.2 03.04.2007 Backdoor.VanBot.L
CAT-QuickHeal 9.00 03.02.2007 Backdoor.VanBot.ay
ClamAV devel-20060426 03.03.2007 no virus found
Could someone upload a copy of rinbot / delbot? it targets symantec and seems a bit interesting.
RolfRolles has written an excellent article at OpenRCE about reverse engineering a sophisticated packer called HyperUnpackMe2.
"Modern protectors mutilate the original code section, use virtual machines operating upon polymorphic bytecode languages to slow reverse engineering, and take active measures to frustrate attempts to dump the process. Meanwhile, the complexity of the import protections and the amount of anti-debugging measures has steadily increased.
This article dissects such a protector and offers a static unpacker through the use of an IDA processor module and a custom plugin. The commented IDB files and the processor module source code are included. In addition, an appendix covers IDA processor module construction. In short, this article is an exercise in overkill. "
One of the many features of Vista that Microsoft has included is PatchGuard v2. Skywing has posted a great article on Uninformed about subverting PatchGuard v2. The protection mechanisms that Microsoft employs are some of the exact same ones that malware authors have been using for years.
There are some startling techniques that Microsoft is using to protect itself from reverse engineering and modification. One of them is to do a standard IsDebuggerPresent (or KdDebuggerNotPresent) to validate that PatchGuard isn't being debugged. The next protection mechanism is to use self-decrypting and self-modifying code inside of the Integrity Check Routine. Skywing has done a great job of outlining the defenses that are taken, as well as methods for subverting the system.
PatchGuard is meant to protect against unauthorized modifications of the Vista kernel. In essence, Microsoft does not want you to modify their kernel with your bad code. While these mechanisms are useful for preventing rootkits, as Skywing has pointed out they can be modified.