EH-Net

So a member of my local DC group is a system admin for a military group that is stationed in Afgan.  Long story short, their whole infrastructure got jacked with a virus.  They are having a heck of a time removing it (generally just wiping).  Heh, good part?  He sent us back the files!  Wooo!  So, if any of you are interested in a fun Afgani comp virus, pm me and I will see about hooking you up.  :P  That is...if I trust you and you arn't totally new to the group.  I don't feel quite comfortable giving virus code to those who havent' been in the group for a bit.  Should be a fun thing to take appart though, which is what we'll probably be doing in our DC group for next month's meeting.

-4sh

Not going to ask for a copy, because I fall under the new clause. I wouldn't know what to do with it if I had it anyway.

I'm just wondering if it would be possible to make some kind of training document from what you do with it?

I know, I'm asking a lot. Just looking for good ways to learn things, from people who would know what they're doing.

No problem Chris.  Since it is not a virus that's been circulating around for a bit.. and from where I am getting it, I didn't want to throw it out there to everyone and their uncle.  Since...

1)  It could hose your system if you arn't very careful.
2)  I don't want to feel responsible for #1
3)  I dont' want it circulating around since no AV apparently can get rid of it yet.

You can get a lot of viral code out there to play with and check out.  Dean is pretty badass at that sort of thing.  He probably has quite a few bits sitting around.  Tons of sites have repositories of it as well to work with.  I'm sure there are others here who either have custom bits of stuff, and have far more experience with working with it than I.  They would be much better people to talk to about starting on working with this stuff... since I really dont' want to feel responsible hehe. 

And certainly, I can do a writeup of what my DC group and I find when we have our monthly meeting and play with it.  :) Should be fun times.  BBQ, beer, and playing with malcode... what more could one wish for a Summer Sunday?

4sh

I wouldn't want to be responsible for it getting out and causing problems elsewhere either. I think what I'm interested in is:

1) what is making it so hard to clear
2) what kind of things to look for on a network that indicates it's there (original detection, in general)
3) What this bad boy is using as an entry vector
4) what your test environment is like

If I was setting this up, which I lack the hardware for at this time, I'd do a chrooted virtual window's box on a system I don't mind destroying the hard drive out of afterward. Although that seems a little expensive when I think about it (constantly going through hard drives).

What's the best way to get involved with a local DC group? I tried to join a local Perl Monger's group once, but they hardly ever met, and when they did, they wanted to focus on showing off what they (the host's company) was working at the time. (*edit: turns out the local DC is no longer DC, it's now ArbSec...)

I'll also remember to shop smart, shop S-Mart. :)

g00d_4sh, I wouldn't mind getting a copy for reversing purposes.  It's not one of those nasty buggers that detects VmWare, or worse, tries to jump it, is it?   Also, is it in English?   I don't want you to get into any sort of trouble either, just so that I can play with a new toy :)

PS.  I will not spread it, at least not purposely.  If it spreads from my machine, it's likely that my machine will have perished.  ;D

If you do a writeup on it, I'd be interested in seeing it.

I would like a copy.

I think I am currently too busy with other things so that I can't take a look at myself, but I would appreciate to take a look at your research paper.

As already pointed out by Ketchup, keep in mind that there are techniques which allows malware to detect if it is debugged in a virtual machine and behave in a different way than it would usually or even escape from it and attack your host system. Therefore you may consider to debug it on a seperate physical machine if you can afford one.

I fall into the same camp at present, and if it's causing the military this many headaches it likely beyond my current reversing skills anyway. Would definitely be interested in anything you manage to discover though.

Keep us in the loop and thanks for the offer, wish I had time to have a play...

(P.S. try not to hose your systems ;) )

Hey man can I get a copy? I'd like to reverse it in one of my malcode analysis VM's.. What DC group are you IN?

I would like to get a copy. My organization has international presence in 30 or so countries. So, I would definitelly like to get ahead of this one, even if it is a localized threat.