In a lot of the malware that comes across ISC, the author leave in some kind of signature or message. This week, we have received report of a botnet malware with reference to SANS (hidden in the code), the message is similar to the following,
You better f##k off SANS.org especially that Johannes Ullrich (jullrich@XXX, XXX-XXX-XXXX) and Kevin Hong (khong@XXX.kr, +XX-X-XX-XXX). I really don't have anything against you, just p##s off alright?
The author of the malware also registered 'sans-security.org' (now defunct)
The binary is a Vanbot variant. At the time of writing, Virustotal has the following to say about the malware.
Antivirus |
Version |
Update |
Result |
AntiVir |
7.3.1.38 |
02.22.2007 |
BDS/VanBot.AY.6 |
Authentium |
4.93.8 |
02.23.2007 |
W32/Trojan.YAZ |
Avast |
4.7.936.0 |
02.22.2007 |
no virus found |
AVG |
386 |
02.23.2007 |
BackDoor.Generic5.CLH |
BitDefender |
7.2 |
02.23.2007 |
no virus found |
CAT-QuickHeal |
9.00 |
02.22.2007 |
Backdoor.VanBot.ay |
ClamAV |
devel-20060426 |
02.22.2007 |
no virus found |
DrWeb |
4.33 |
02.23.2007 |
BackDoor.IRC.Sdbot.1125 |
eSafe |
7.0.14.0 |
02.23.2007 |
Win32.VanBot.ay |
eTrust-Vet |
30.4.3423 |
02.23.2007 |
Win32/Nirbot.K |
Ewido |
4.0 |
02.22.2007 |
Backdoor.IRCBot.aab |
FileAdvisor |
1 |
02.23.2007 |
no virus found |
Fortinet |
2.85.0.0 |
02.23.2007 |
W32/SDBot.H!worm |
F-Prot |
4.3.1.45 |
02.22.2007 |
W32/Trojan.YAZ |
F-Secure |
6.70.13030.0 |
02.23.2007 |
Backdoor.Win32.VanBot.ay |
Ikarus |
T3.1.0.31 |
02.22.2007 |
Backdoor.Win32.VanBot.ay |
Kaspersky |
4.0.2.24 |
02.23.2007 |
Backdoor.Win32.VanBot.ay |
McAfee |
4969 |
02.22.2007 |
W32/Sdbot.worm.gen.h |
Microsoft |
1.2204 |
02.23.2007 |
no virus found |
NOD32v2 |
2076 |
02.22.2007 |
Win32/Vanbot.AY |
Norman |
5.80.02 |
02.22.2007 |
no virus found |
Panda |
9.0.0.4 |
02.23.2007 |
W32/Sdbot.JWH.worm |
Prevx1 |
V2 |
02.23.2007 |
Malware.Trojan.Backdoor.Gen |
Sophos |
4.14.0 |
02.21.2007 |
no virus found |
Sunbelt |
2.2.907.0 |
02.22.2007 |
no virus found |
Symantec |
10 |
02.23.2007 |
W32.Rinbot.B |
TheHacker |
6.1.6.062 |
02.21.2007 |
no virus found |
UNA |
1.83 |
02.22.2007 |
Backdoor.VanBot.E9CE |
VBA32 |
3.11.2 |
02.22.2007 |
Backdoor.Win32.VanBot.ay |
VirusBuster |
4.3.19:9 |
02.22.2007 |
no virus found |
I will be teaching next:
Defending Web Applications Security Essentials - SANS Rocky Mountain Spring: Virtual Edition 2021