Eric Landuyt from DataRescue analyzed a malware that exploits Background Intelligent Transfer Service (BITS) as a covert channel
From the site:
"A strange executable, named MSMSGS.EXE, was found on several machines on the network of a customer, apparently dropped by the exploitation of a vulnerability inside Word files. As monitoring tools (registry/file/socket) provided insufficient information on the malware's behaviour, we proceeded with a complete analysis."
29A Group retired forever.
+I tried to contact ValleZ for some time in order to take a decission together about the future of 29A with no luck therefore I decided to take the decission alone. And my decission is that 29A goes officially retired. I feel this is fair because I am kinda the alpha and the omega of the group. 29A was born in Dark Node, my BBS, and I am the last active member of the group. My last words as 29A member are for all the people that worked hard to make of this group the best one: Thank you very much! Regards, VirusBuster/29A
The Blue Pill PoC published finally.
SB.BADBUNNY is a multi-platform worm distrubted as an openoffice document containing a starbasic macro.
this worm first infects you when you open an OpenOffice Draw file called badbunny.odg. A macro included in the file performs different functions depending on whether you are running Windows, MacOS or Linux.
Tom Liston and Ed Skoudis has written a clean paper about how to detect a Virtual Machine and some possible method for prevent it against detection .
Kaspersky Labs discovered the first virus designed to infect ipod. It does not work on normal iPods that are running the default iPod operating system. This virus can not be launched automatically without user involvement. Once launched, the virus scans the device’s hard disk and infects all executable .elf format files. Any attempt to launch these files will cause the virus to display a message on the screen which says "You are infected with Oslo the first iPodLinux Virus".
Does anyone have this malware?
All versions of Windows support animated mouse pointers and a function from USER32.DLL load animated mouse pointer. An .ani file is based on chunks and each chunks start with 4 byte ID word and a DWORD have chunk lenghth. One of the chunks is "anih" and contains 36 bytes. The vulnerability is here ... code doesn't check the length of the "anih" long field before using it. Here are some teams that have published their analysis of the ANI vulnerability:
Some days ago researchers declared an alert for Microsoft Windows Cursor and Icon(.ANI) zero day vulnerability . now they declared an alert for a new worm .