Srizbi , Full-Kernel Rootkit Malware

hi folks,
In the last few days i came across to a new rootkit malware named trojan.srizbi (aka, Troj/RKAgen-A , Rootkit:W32/Agent.EA) that has capabilities of bypassing Firewalls and IDS systems and also tries to delete competitor rootkits .
this malware hooks ZwOpenKey,ZwEnumerateKey and hooks \FileSystem\Ntfs\IRP_MJ_CREATE
\FileSystem\Ntfs\IRP_MJ_DIRECTORY_CONTROL kernel routine of NTFS filesystem driver and also the Trojan creates %System%\windbg48.sys , %System%\[RANDOM NAME].sys files .
this trojan attempts to connect to to several servers for download config files .
the polymorphic code used in Trojan.Srizbi is very similar to the Backdoor.Rustock.B packer, but more advanced . srizbi is currently being spreads via iframe tools like Mpack . this YouTube video showing websites using Iframes and the MPack installer attacking a PC.
you can read more information on symantec .

RealVNC Honeypot

Do you remember Real VNC Vulnerability ?! in this case An attacker can bypass authentication and allows access to the remote system without requiring knowledge of the VNC password. When Vulnerbility and exploit published in public , i said to myself "this is a good target for Botnet Masters to infect big range of computers" , Real VNC runing on some of The Organization and Sensitive Networks . well, Common one of the Nepenthes project leader (Low Interaction Honeypot) Published a module which Displayed the screen of Microsoft OS desktop for Capture real vnc attacks from fool hackers or malwares. i managed RealVNC vuln on Virtual Machines for capturing real malwares . After one month i saw many attacks in my honeypots . Many attackers try to download malwares from Run menu and then install them on Honeypots Machines. Or others manually open the IE or firefox and download Binary file and runing that and in the end clean Browser History ...or FTP command from CMD on windows machine... But over 80 precent did that from RUN menu .
My honeypots structures and tricks :
VMware and Images of clear OS (XP , NT , 2000 or linux base oS)Installed Vulnerable Version or RealVNC Captured Network Traffics and locate HoneyPots behind the NAT and firewall (DOnt forget to enbale Realvnc incoming ports on firewall or NAT)Take SnapShot in vmware from clear OS

But for this time you can not find any interesting activity for RealVNC vuln .Np so its better fo you to wait for the next interesting Vuln !
Screenshot

Resources:

http://nepenthes.mwcollect.org

http://secunia.com/advisories/20107/

pwnie awards

This is an awards ceremony for Security Researchers , you can find some of the cool guys in judges list ... HD moore (Metasploit Project Leader), david aitel (immunitysec company CTO) , Halvar Flake (Sabre Security company CEO) , and others ...
They Publishd list of winners in LasVegas at Black Hat Conf .

See the winners list

do you agree with them ?!!:)

Blue Pill published

after long time now Blue Pill PoC by Joanna Rutkowska published .

Intro
The original Blue Pill proof of concept code has been written by Joanna Rutkowska, while working for COSEINC, and presented at the Black Hat Briefings 2006 in Las Vegas on August 3rd. Joanna Rutkowska then formed a small team of researchers inside COSEINC, Advanced Malware Labs, which was supposed to focus on further research into virtualization based malware. However after just a few months the priorities of work have been shifted, resulting in Blue Pill research activities being ceased.

In April 2007 Joanna Rutkowska decided to quit COSEINC and start her own security consulting firm, Invisible Things Lab. In May 2007 Alexander Tereshkin, a former member of COSEINC AML, joined ITL as a principal researcher. Joanna Rutkowska and Alexander Tereshkin decided to redesign and write from scratch the New Blue Pill rootkit, so that it would be possible to use it for further research and for educational purposes. Most of the New Blue Pill’s code was developed by Alexander Tereshkin.

The New Blue Pill is significantly different from the original Blue Pill, not only because of the various features that it implements, but also because of the different architecture it was based on (HVM-like approach, similar to that used by XEN 3).

website : www.bluepillproject.org