So a member of my local DC group is a system admin for a military group that is stationed in Afgan.  Long story short, their whole infrastructure got jacked with a virus.  They are having a heck of a time removing it (generally just wiping).  Heh, good part?  He sent us back the files!  Wooo!  So, if any of you are interested in a fun Afgani comp virus, pm me and I will see about hooking you up.    That is...if I trust you and you arn't totally new to the group.  I don't feel quite comfortable giving virus code to those who havent' been in the group for a bit.  Should be a fun thing to take appart though, which is what we'll probably be doing in our DC group for next month's meeting.

-4sh

No problem Chris.  Since it is not a virus that's been circulating around for a bit.. and from where I am getting it, I didn't want to throw it out there to everyone and their uncle.  Since...

1)  It could hose your system if you arn't very careful.
2)  I don't want to feel responsible for #1
3)  I dont' want it circulating around since no AV apparently can get rid of it yet.

You can get a lot of viral code out there to play with and check out.  Dean is pretty badass at that sort of thing.  He probably has quite a few bits sitting around.  Tons of sites have repositories of it as well to work with.  I'm sure there are others here who either have custom bits of stuff, and have far more experience with working with it than I.  They would be much better people to talk to about starting on working with this stuff... since I really dont' want to feel responsible hehe. 

4sh

I wouldn't want to be responsible for it getting out and causing problems elsewhere either. I think what I'm interested in is:

1) what is making it so hard to clear
2) what kind of things to look for on a network that indicates it's there (original detection, in general)
3) What this bad boy is using as an entry vector
4) what your test environment is like

If I was setting this up, which I lack the hardware for at this time, I'd do a chrooted virtual window's box on a system I don't mind destroying the hard drive out of afterward. Although that seems a little expensive when I think about it (constantly going through hard drives).

What's the best way to get involved with a local DC group? I tried to join a local Perl Monger's group once, but they hardly ever met, and when they did, they wanted to focus on showing off what they (the host's company) was working at the time. (*edit: turns out the local DC is no longer DC, it's now ArbSec...)

I'll also remember to shop smart, shop S-Mart.

If you do a writeup on it, I'd be interested in seeing it.

I think I am currently too busy with other things so that I can't take a look at myself, but I would appreciate to take a look at your research paper.

As already pointed out by Ketchup, keep in mind that there are techniques which allows malware to detect if it is debugged in a virtual machine and behave in a different way than it would usually or even escape from it and attack your host system. Therefore you may consider to debug it on a seperate physical machine if you can afford one.

Hey man can I get a copy? I'd like to reverse it in one of my malcode analysis VM's.. What DC group are you IN?