Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    June 2009
    S M T W T F S
    « May   Jul »
     123456
    78910111213
    14151617181920
    21222324252627
    282930  
    • About Us
    Malware Blog > 2009 > June> 23

    Archive for June 23rd, 2009




    All-Feedback Is Good FeedbackIn our recently published white paper on Pushdo we noted that the malware used a certain string as part of its encryption routine.

    Poshel-ka ti na hui drug aver

    This string roughly translates to “Screw you my friend Aver” (well it’s actually a lot less polite than that, but you get the idea). We theorized that the word Aver could refer to a certain computer hardware reseller based in Moscow, but one of our peers at Kaspersky pointed out that this word could mean “AVer” (a slang term used mainly on english virus writing forums meaning AV researcher).

    Doh!

    This is not the first time that malware writers have left hidden messages that are only revealed during reverse engineering. My personal favorite is from a sample of the WORM_RINBOT family which included a message for a fellow AV researcher, after he assigned the name RINBOT to the malware family instead of the criminal gangs prefered name:

    Dear Symantec:
    For years I have longed for just one thing,
    to make malware with just the right sting,
    you detected my creation and got my domains killed,
    but I will not stop,
    I can rebuild.

    P.S. F*** you a**holes, especially Stephen Doherty who is the biggest f****t I know of.

    The Rinbot authors where particulary well known for getting frustrated at antivirus companies for detecting their creations (ironically made easier by all of those nice messages they included for us to use in malware signatures). They were fairly generous in distributing their pent up annoyance with everyone from SANS to CNN included. In particular they really disliked people refusing to name their malware as they had intended.

    Rinbot is not the only malware to include such strings, recently the TSPY_ZBOT family also started with messages giving out about blog articles by Avira and Microsoft. In fact these messages have been going on for years, another one from a WORM_MYDOOM variant back in 2004 read:

    we will attack f-secure,symantec,trendmicro,mcafee , etc.
    The 11th of march is the skynet day lol .

    Its always nice to get feedback on your work, even more so when its the bad guys complaining that we are doing too good of a job.

     
    Posted in Malware | TrackBacks (3) »


     

    Other Trend Micro blogs
    CTO Insights
    CounterMeasures Blog
    Cloud Security Blog
    Consumerization Blog
    Fearless Web
    Internet Safety for Kids & Families
    Simply Security News
    Trend Micro Blog [German]
    TrendLabs Security Blog [Japan]
    Cloud Security APAC
    Trend Micro Free Tools Threat Encyclopedia Trend Micro Videos
    Do you have a product-related question? Visit our eSupport website.

    © Copyright 2011 Trend Micro Inc. All rights reserved. Legal Notice