IrmBot 내부 문자열들

제작자는 IrnBot 으로 불리기 원했지만 안랩은(실제로는 옆자리 사람과 쑥덕쑥덕) 제작자의 의도를
무시하고 IrmBot 으로 부르기로했다. (2007년 3월 2일에)

* 이름 변경

Win32/IRCBot.worm.206848.I -> Win32/IrmBot.worm.206848
Win32/IRCBot.worm.210944.B -> Win32/IrmBot.worm.210994
Win32/IRCBot.worm.212992.F -> Win32/IrmBot.worm.212992
Win32/IRCBot.worm.214528.F -> Win32/IrmBot.worm.214528
Win32/IRCBot.worm.222720.B -> Win32/IrmBot.worm.222720

-----------------------

제작자는 자신의 서버를 파괴하는 SANS.org 와 자신을 진단하는 백신 업체
그리고 자신이 만든 악성코드의 진단명이 IrnBot 이 아닌 점에 불만인 듯 싶다.

* 자신의 서버를 파괴하는 SANS.org 에 대한 메시지

You better fuck off SANS.org especially that Johannes Ullrich (xxxxxxx@sans.org, 6xx-xxx-1xxx) and Kevin Hong (xxxxx@certcc.or.kr, +82-2-xxx-xxxx).
I really don't have anything against you, just piss off alright?


* 백신 업체 직원들에게 자신의 악성코드가 IrnBot 임을 강조함

Hello antivirus employee, I must protest your virus naming system, it isn't very accurate.
I as a malware author believe that I deserve the right to at least have my creations named properly; like come on,
I'm the one who keeps your ass in business.
Anyways this isn't "RinBot", "VanBot" or "NirBot"; the correct name is "IrnBot".
Thank you Panda Antivirus for getting this correct.
For the rest of you, I hope you read this and make the correction, or ELSE.


* 또 다시 자신의 악성코드가 IrcBot 임을 강조

Dear antivirus employee: well it's been an interesting week, it's been a good battle.
P.S. The name is IrnBot, make corrections now please.

사용자 삽입 이미지




* 시만텍에 대한 메시지

Dear Symantec: For years I have longed for just one thing, to make malware with just the right sting, you detected my creation and got my domains killed,
but I will not stop, I can rebuild.

P.S. Fuck you assholes, especially Stephen Doherty who is the biggest faggot I know of.


특히 rhyme 까지 맞다고하니 힙합을 좋아하는 사람으로 보인다.

For years I have longed for just one (thing),
to make malware with just the right (sting)

and (got) my domains (killed)
I will (not) stop, I can (rebuild)



* Win32/IrmBot.worm.212992 에 포함된 메시지 (2007년 3월 4일 발견)

Tonight on CNN: An interview with the author(s) of Rinbot. Who are you? Hacker(s). Are you actually disgruntled? No. Then why are you actively going after Symantec?

The worm is designed for getting the highest yield of computers infected, not to aggravate Symantec; there is no hate. So why attack the Symantec anti-virus program?

A lot of businesses and universities run the application, making it a prime target for exploitation. Are you aware that your worm is crippling computer networks?

 Yes that can happen on slow networks or networks with many computers; the worm also searches and removes other worms from the system, acting as a small anti-virus program if you will. If you wish not to have those problems keep your software updated.

Why did you taunt Symantec and other security companies? They were the first to list the worm on their site and try and get servers shut down. What do you intent to use the infected computers for? Nothing very malicious; no fraud or anything like that. What is the real name of the worm and how did you come up with it? The real name is IrnBot, it is named after a popular soft drink called IrnBru. Thank you for your time author of Rinbot. You are very welcome CNN, thank you for the opportunity to explain.

* 참고

- Arbor Network 에서도 유사한 내용이 올라왔다.

http://asert.arbornetworks.com/2007/03/nirbot-even-botters-need-attention/

Posted by mstoned7

댓글을 달아 주세요

  1. fullc0de 2007.03.02 10:08  댓글주소  수정/삭제  댓글쓰기

    깔끔하게 정리하셨네요. 실례가 되지 않는다면 Irnbot 바이너리를 좀 얻을 수 있을까요? 괜찮으시다면 아래 메일로 좀 부탁드리겠습니다. o(__)o 사용할 용도는 아니고 수집 및 분석용도 거든요 ^^
    fullc0de [a t] g mail . 컴 ( ^^;;)

  2. mstoned7 2007.03.03 21:20 신고  댓글주소  수정/삭제  댓글쓰기

    fullc0de / 죄송합니다. 회사 정책상 샘플을 드릴 수 없습니다 ~ 이해하시죠 ?

사용자 삽입 이미지

V3 진단명 : Win32/IRCBot.worm
MD5 : AD99BFACD166264CA50CCD40BF4670E5
길이 : 214528

메시지 내용)
 
Dear Symantec: For years I have longed for just one thing, to make malware with just the right sting, you detected my creation and got my domains killed, but I will not stop, I can rebuild. P.S. Fuck you assholes, especially Stephen Doherty who is the biggest faggot I know of.

 
Posted by mstoned7

댓글을 달아 주세요

아마도 악성 IRC봇의 IRC 채널을 차단해버리니 Bot 제작자가 이런 활동에 불만을 품은 메시지를 자신의 Bot 에 포함하고 있다.

이중 KISA에서 일하는 분도 계셔 눈길을 끈다.

* MD5 : 099196e29c01c0ecd896c7f10d0308e9 *sesvc.exe
* 길이 : 210,944
* V3 진단명 : Win32/IRCBot.worm.210944.B


--------

You better fuck off SANS.org especially that Johannes Ullrich (*******@****.org, 617-7xx-xxxx)
and Kevin Hong (xxxxx@******.or.kr, +82-2-4xx-5xxx).
I really don't have anything against you, just piss off alright?

사용자 삽입 이미지

KISA에 불만을 품은 악성코드 제작자

Posted by mstoned7

댓글을 달아 주세요