https://threatpost.com/en_us/blogs/jboss-worm-exploiting-old-bug-infect-unpatched-servers-102111 Worm uses bug in jmx-console to execute shell code, then it installs perl-based control daemon that connects to IRS, and tries to discover other JBoss’es near by by using jgroups UDP multicast. Here is more details, including the source code http://pastebin.com/U7fPMxet
https://threatpost.com/en_us/blogs/jboss-worm-exploiting-old-bug-infect-unpatched-servers-102111 Worm uses bug in jmx-console to execute shell code, then it installs perl-based control daemon that connects to IRS, and tries to discover other JBoss’es near by by using jgroups UDP multicast. Here is more details, including the source code http://pastebin.com/U7fPMxet
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf Most complete research on stuxnet comes from Symantec in a form of their paper called “W32.Stuxnet Dossier”.
http://www.symantec.com/connect/blog-tags/w32stuxnet Blog posts from Symantec tagged as ‘stuxnet’ – most current research on the topic usually announced there.
http://vrt-sourcefire.blogspot.com/2010/09/introduction-to-clamavs-low-level.html [some notes on] How to use clamav built-in JIT byte-code interpreter to create new viri signature definitions.
http://habrahabr.ru/blogs/infosecurity/70615/#habracut statistical method for detection of statistical malicious javascript, perl implementation.
http://www.cs.auckland.ac.nz/~pgut001/pubs/malware_biz.pdf awesome paper about business of spam/malware/etc, kinda scary