The solution includes the documentation in PDF format and three IDA 5 databases.
Update: A kind soul informed me that I made a pretty dumb mistake with File Z which is actually infected with a Linux virus called RST.b too. That wasnt all that surprising as the online virus scanner I use actually reported that. IDA doesnt load the relevant code though because the section size of the .rodata section where the virus code can be found is too small. Thats why you wont find the code in FileZ.idb either. That was easy for me to miss but I still could have found out because the entry point of File Z points to the virus code. Looks like I was too fast dismissing the IDA "Invalid entry point" message as just another warning message when analyzing a broken file.
This brought my attention to something else too. I need to be more careful in the future. Assume a bot is packed, then infected with a virus and then packed again. My run-and-dump method to get the unpacked file wouldnt pick up the file infector. I think I should focus on developing some strategies on how to pick up pieces of malware that are made up of several individual viruses and packer layers.
There are 31,328 total registered users.
[+] expand
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}