search result

TDSS and hacking the hackers

…Aleks and Eugene released a new version of the tool they developed in the course of their research into the TDL family…

TDL4: new bootkits stepping out

My colleague Aleks Matrosov has come across an interesting if uncomfortable post on a Russian language forum, advertising a "Boot loader for drivers" currently under test that doesn't require a Digital Signature driver, which sounds very much like our old friend TDL4. This metamorphic malware (each build generates a fresh binary) loads before the start of PatchGuard. It's

Hodprot is a Hotshot

In their presentation “Cybercrime in Russia: Trends and issues” at CARO2011 — one of the best presentations of the workshop, in my unbiased opinion ;-) — Robert Lipovsky, Aleksandr Matrosov and Dmitry Volkov mentioned the Win32/Hodprot malware family, which seems to be undergoing something of a resurgence.

Defeating anti-forensics in contemporary complex threats

Alexandr Matrosov summarizes the evolution of complex threats using hidden storage, as discussed in his presentation with Eugene Rodionov at Virus Bulletin 2012.

Smartcard vulnerabilities in modern banking malware

Aleksandr Matrosov and Eugene Rodionov presented their research into “Smartcard vulnerabilities in modern banking malware” at PHDays’2012.

Bypassing code signing policy: welcome to the (Eko)party

ESET researchers Aleksandr Matrosov and Eugene Rodionov just gave a talk on Defeating x64: Modern Trends of Kernel-Mode Rootkits

Cycbot: Ready to Ride

Although the “Ready to Ride” group originated in Russia it distributes Win32/Cycbot outside the borders of the Russian Federation. Going by the prices per installation the primary target of the group is the US.

TDL4: Beat-root with Confidence

…Aleksandr Matrosov and Eugene Rodionov recently delivered a presentation on “Defeating x64: The Evolution of the TDL Rootkit” at Confidence 2011, in Krakow, and now available on our white papers page…

Tidy TDSS (TDL3) Paper

…Aleksandr Matrosov, Senior Virus Researcher, & Eugene Rodionov, Rootkit Analyst, … have allowed us to share a long and comprehensive report on the TLD3 rootkit…

Bootkits, Windigo, and Virus Bulletin

ESET research on Operation Windigo received an award at Virus Bulletin 2014. Our research on bootkits was also well received, and is now available publicly.

Is Gapz the most complex bootkit yet?

Introducing a detailed analysis of Win32/Gapz malware in a new white paper titled: Mind the Gapz: The most complex bootkit ever analyzed?

Flamer Analysis: Framework Reconstruction

Aleksandr Matrosov looks at the internal architecture of Win32/Flamer’s mssecmgr.ocx module.

Avatar rootkit: the continuing saga

In this blog post we confirm that the Avatar rootkit continues to thrive in the wild, and disclose some new information about its kernel-mode self-defense tricks. We continue our research into this malware family.

Win32/Gapz: New Bootkit Technique

Win32/Gapz’s new bootkit technique modifies just 4 bytes of the original VBR, has an enhanced dropper and complex kernel mode functionality, and evades ELAM.

Win32/Gapz: steps of evolution

Win32/Gapz has a new technique for code injection and a new VBR infection method. The dropper has many tricks for bypassing detection by security software.

Stuxnet Paper Updated

…the “Stuxnet under the microscope” has been updated.today on the white papers page: details as following…

TDL4 reloaded: Purple Haze all in my brain

A new TDL4 sample includes novel privilege escalation mechanisms in the dropper and changes to the hidden storage system.

2012 Predictions: East of Java

Java will consolidate its position as the successor to PDF and SWF in the favourite exploits stakes.

Evolution of Win32Carberp: going deeper

This month we discovered new information on a new modification in the Win32/TrojanDownloader.Carberp trojan family.

Win32/Duqu analysis: the RPC edition

ESET Researchers have investigated Win32/Duqu’s RPC mechanism.

Copyright © 2017 ESET, All Rights Reserved.