Skip navigation.
Home

New Mebroot (June Version)

Herein submitted the latest mebroot sample:

b3e5776e11cd5765a301fbce47fdafae

......

Race to 0 at the moment, still undetected.

Thats cute, VT has never

Thats cute, VT has never seen this file, I spec that calculates to a 0 detections at VT statement eh?

The reality is its detected by 9 of 40 at VT. ;)

Even more cute is there is only a single entity that can safely remove this infection.

Virus Total

I submitted it to VT, so from signature checking point of view the file is undetected for the poly engine.

You mean that 9 Avs can detect the sample upon install, or the sample running?

---------------------------------------
Owasp Antimalware Project

www.owasp.org/index.php/OWASP_Anti-Malware_Project

That file is short 2 bytes

That file is short 2 bytes at the header, I pulled one outa temorary internet files that is identical to this one, the file itself you point to doesnt execute here but the executable that is dropped by the exploit pack to root has the 2 bytes inserted and runs.

I also got a zero detection rate at VT, spose its cause these files wont execute as they are.

At any rate, since so few know how to track these now, here is the todays loader...

Full URL: hxxp://abimovdxes.com/ld/dxtrbc/
Redirected to: hxxp://abimovdxes.com/cgi-bin/index.cgi?dx
Document Size: 19222 Bytes

Current executable being

Current executable being served
http://www.virustotal.com/analisis/57c34f64d4f7a1f19551ea0bf503448be163f5546e2b3abd798e084663f74035-1244455307

http://www.offensivecomputing.net/?q=ocsearch&ocq=672d63968dbed4efccb04df9e3717bbf

Have a peek for yourself, your sure to see a distinct difference.