This should be it. I haven't analyzed it yet. Sorry it took me so long to put it up. Anyone who does an analysis will get front-posted :)
I need the peacomm binary for some analysis. Fairly new stuff, released end of Jan called "Trojan.Peacomm" by symantec. Thanks!
Some days ago researchers declared an alert for Microsoft Windows Cursor and Icon(.ANI) zero day vulnerability . now they declared an alert for a new worm .
Metasploit is pleased to announce the immediate free availability of the Metasploit Framework version 3.0 from http://framework.metasploit.com/.
"The botnet operator behind the virulent Nirbot Trojan is having a field day taunting anti-virus researchers.
While it is common to find messages and shout-outs buried in virus code, the person(s) behind Nirbot is rather talkative, leaving hostile threates directed at specific individuals, a strange apology for something involving "hospital computers" and even a mock CNN interview that discusses the bot's intent."
IrnBot is getting more personal it seems.
The bot does the following depending what server its on:
JOIN ##OC hellovalsmit
I guess he's a fan of the site? Why not contribute positively here instead of making a bunch of negative malware?
You'll notice the irc channel name is #OC and the leet speak spelling of OffensiveComputing.
I guess the malware author is a fan of our site? :) Or maybe we will see an Anti Offensive Computing Rant similar to the symantec / cnn one ?
This is a cheatsheet to WinDbg from Microsoft. Thanks to the Metasploit for writing this.
A generous user provided us with the rinbot / delbot sample. However our scans show it as vanbot.
AntiVir 22.214.171.124 03.02.2007 BDS/VanBot.AY.10
Authentium 4.93.8 03.04.2007 W32/Backdoor.AGKF
Avast 4.7.936.0 03.03.2007 no virus found
AVG 126.96.36.1997 03.03.2007 Win32/CryptExe
BitDefender 7.2 03.04.2007 Backdoor.VanBot.L
CAT-QuickHeal 9.00 03.02.2007 Backdoor.VanBot.ay
ClamAV devel-20060426 03.03.2007 no virus found
Could someone upload a copy of rinbot / delbot? it targets symantec and seems a bit interesting.
RolfRolles has written an excellent article at OpenRCE about reverse engineering a sophisticated packer called HyperUnpackMe2.
"Modern protectors mutilate the original code section, use virtual machines operating upon polymorphic bytecode languages to slow reverse engineering, and take active measures to frustrate attempts to dump the process. Meanwhile, the complexity of the import protections and the amount of anti-debugging measures has steadily increased.
This article dissects such a protector and offers a static unpacker through the use of an IDA processor module and a custom plugin. The commented IDB files and the processor module source code are included. In addition, an appendix covers IDA processor module construction. In short, this article is an exercise in overkill. "