FYI...

- http://isc.sans.org/diary.html?storyid=4042
Last Updated: 2008-02-28 09:31:30 UTC - "Yesterday I received samples of an IRC bot. This in itself would be nothing interesting except the fact that the archive contained binaries for FreeBSD and Mac (Darwin, ppc). After initial analysis I found out that it's nothing special – just a port of a well known IRC bot called EnergyMech. The most interesting thing was that the attacker compiled it for FreeBSD and Mac. This probably didn't require any extra effort though since it compiles out of the box on FreeBSD and Linux anyway. The bot did all the standard stuff: had couple of "owners" defined; comments in Portuguese and connected to Undernet, the IRC network that a lot of attackers like. I decided, for the fun of it, to run the sample through VirusTotal, just to see what results AV programs will have. It was .. erm.. interesting, as you will see below. There were in total 3 files:
$ md5sum linux freebsd darwin
fbab7e9bf1780fd2bc99e44d46535be5 linux
17eb3a901811ea86f7d71394cde36202 freebsd
a93b41466e330fc3cf8e6602e5cd03c2 darwin
The FreeBSD version of the bot was detected by 23 out of 32 AV programs (decent) and the Linux one by 24 out of 32 AV programs (even better). This was clearly signature detection since almost all AV programs detected the FreeBSD version as something for Linux (Linux/RST.B ) – my guess is that they trigger on some text in the binary. Finally, the Darwin version was a bit of a shock – 0 detections in total (!). Since it was a Mach-O executable for PPC, my guess is that AV programs didn't know how to parse the file format and just thought of it as data."



This post has been edited by AplusWebMaster: Feb 28 2008, 11:45 AM