.Im writing this in response to mythx' recent blog on offensivecomputing "W32.Rinbot.BC - detects VM and Ollydbg's presence" at Tue, 2007-05-08.
The sample (Rinbot) is packed with EXECryptor, and my question is:
Is the detection mechanism purely implemented in the packer, or does the malware/payload detect VMs/OllyDbg as well?
The GUI (of this packer) has a checkbox where you can tag the protected executable to be compatible with VMware/VirtualPC/Wine or not; I guess this disables or enables VM detection... On their website you can read about powerful anti-debug, anti-trace, anti-cracking and anti-reversing techniques. Unfortunately these features aren't enabled in the trial copy you can download for free (god knows why :P).
Has anyone encountered or analysed this packer?
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}