Apple has publicly apologized for including a virus on some of the latest iPods. While only 25 have been detected so far, this is still a disturbing trend. Apparently another unnamed manufacturer makes the iPods and is responsible for the infection.

One interesting quote is, "As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it."

CNet is running the article.

McDonald's gave away MP3 players loaded with a little more than music on them. It appears that they came preloaded with a QQPass variant as well. Anyone have a copy different than our archives?

Gizmodo Story detailing the event

Another MSN worm in on the loose here, message from MSN:

---------------------------------------------------------
XXXXX@msn.com says:
lol check hxxp://peopleonline.pe.funpic.de/ photo942.PIF
---------------------------------------------------------

A new “rakningen” Trojan is beein spammed, this time it is a downloader, which downloads this file:
"http://www. dolas.biz/ ssl. exe" (again the URL is splittet) and executes it.

This file ssl.exe droppes hook.dll, which is injected into most running processes. It creates/edits a lot of registry values.

So, i log on my computer this evening, and i get spammed with MSN messages like this:

"lol check http ://www. uglyphotos. net /photo223. PIF" url splitted for your safety ;)

I've added this to the database:
MD5SUM: aae98749a6d2cb23c3eba83a794f9edf
SHA1SUM: 8a39f2c7f954110227a753816f634d5359e5a349
SHA256SUM: 7dba761a6af4bbc18381d50c158470540f87e6a2aeefca6db18c10d8b3e6c8f2

I download the file and run it through virustotal.com and jotti's virusscanner, only a few Antivirus programs detect this thing, so i decide to take a look at is.

BinBLAST is an extension of Karlin and Altschul's Basic Local Alignment and Search Tool (BLAST) to work with binaries. This technique has proved invaluable in aiding reverse engineering of genomes and its variants have become mainstays of modern bioinformatics. The analog developed for security analysis of binary executables, binBLAST, demonstrates sensitivity to code versions, compiler variations, and can be used to generate antivirus signatures.

Attached to this post is the code as of the DefCon presentation, provided without much documentation. If you have the DefCon CD, there is an outline in the slides of the programs and how they fit together. This includes the proof-of-concept code necessary to produce signatures of uniqueness.

Check this address:
http://www.offensivecomputing.net/?q=node/199

I try to download the attachment but it isn't being downloaded.
I enter one of the MD5 in Malware Search:Nothing
I enter a name in Malware Search:Nothing

Can somebody help?

While writing some PE analysis code I needed to calculate the actual physical offset in a PE file for a given RVA (relative virtual address). Looking around on the Internet it was non-obvious. The Metasploit Framework's msfpescan was actually the most help. I've ported it to Ero Carrera's pefile module and attached the patch to this post. Pefile is a Python module that I highly recommend.

Read more for the simple technique.

What's the password for the encrypted archives?
OR
how do I find the password?

I read Robert Lemos latest article:
http://www.securityfocus.com/brief/292

And i thought, how could someone do this more simple?

So i thought, "why not pack code twice"?

I booted up my VMWare XP system, grabbed an old copy of Sircam + 2 EXE packers and did the following:

1. I packed the Sircam binary with UPX and a separate mod program (so it can be repacked without being ID'd as UPX) and validated using virustotal.com that it would be detected. It was successfully detected by almost every major scanner except one which surprised me alot (*caugh* Symantec *caugh*).