search result

TDSS and hacking the hackers

…Aleks and Eugene released a new version of the tool they developed in the course of their research into the TDL family…

TDL4: new bootkits stepping out

My colleague Aleks Matrosov has come across an interesting if uncomfortable post on a Russian language forum, advertising a "Boot loader for drivers" currently under test that doesn't require a Digital Signature driver, which sounds very much like our old friend TDL4. This metamorphic malware (each build generates a fresh binary) loads before the start of PatchGuard. It's

Defeating anti-forensics in contemporary complex threats

Alexandr Matrosov summarizes the evolution of complex threats using hidden storage, as discussed in his presentation with Eugene Rodionov at Virus Bulletin 2012.

Smartcard vulnerabilities in modern banking malware

Aleksandr Matrosov and Eugene Rodionov presented their research into “Smartcard vulnerabilities in modern banking malware” at PHDays’2012.

Bypassing code signing policy: welcome to the (Eko)party

ESET researchers Aleksandr Matrosov and Eugene Rodionov just gave a talk on Defeating x64: Modern Trends of Kernel-Mode Rootkits

TDL4: Beat-root with Confidence

…Aleksandr Matrosov and Eugene Rodionov recently delivered a presentation on “Defeating x64: The Evolution of the TDL Rootkit” at Confidence 2011, in Krakow, and now available on our white papers page…

Bootkits, Windigo, and Virus Bulletin

ESET research on Operation Windigo received an award at Virus Bulletin 2014. Our research on bootkits was also well received, and is now available publicly.

TDL4 reloaded: Purple Haze all in my brain

A new TDL4 sample includes novel privilege escalation mechanisms in the dropper and changes to the hidden storage system.

Is Gapz the most complex bootkit yet?

Introducing a detailed analysis of Win32/Gapz malware in a new white paper titled: Mind the Gapz: The most complex bootkit ever analyzed?

Flamer Analysis: Framework Reconstruction

Aleksandr Matrosov looks at the internal architecture of Win32/Flamer’s mssecmgr.ocx module.

Avatar rootkit: the continuing saga

In this blog post we confirm that the Avatar rootkit continues to thrive in the wild, and disclose some new information about its kernel-mode self-defense tricks. We continue our research into this malware family.

Win32/Gapz: New Bootkit Technique

Win32/Gapz’s new bootkit technique modifies just 4 bytes of the original VBR, has an enhanced dropper and complex kernel mode functionality, and evades ELAM.

Win32/Gapz: steps of evolution

Win32/Gapz has a new technique for code injection and a new VBR infection method. The dropper has many tricks for bypassing detection by security software.

Stuxnet Paper Updated

…the “Stuxnet under the microscope” has been updated.today on the white papers page: details as following…

Win32/Duqu analysis: the RPC edition

ESET Researchers have investigated Win32/Duqu’s RPC mechanism.

Hasta La Vista, Bootkit: Exploiting the VBR

During the first half of 2011 we have witnessed a significant growth in malware targeting 64-bit platforms, the most interesting examples of which are bootkits.

Cycbot: Ready to Ride

Although the “Ready to Ride” group originated in Russia it distributes Win32/Cycbot outside the borders of the Russian Federation. Going by the prices per installation the primary target of the group is the US.

TDL Tracking: Peer Pressure

Recently … our TDL tracker picked up a brand new plugin for TDL4 kad.dll (Win32/Olmarik.AVA) which we haven’t seen earlier … we discovered that it implements a particularly interesting network communication protocol …

KB2506014 kills TDL4 on x64

The security update won’t necessarily help users who have already been infected with the bootkit as TDL4 blocks the Windows Update service on x86 machines. As a result, infected x86 machines won’t be able to download and install the patch automatically.

Virus Bulletin 2012 Slides

The slides for many of the presentations by ESET researchers at VB 2012 can now be found on the Virus Bulletin conference web pages.

Copyright © 2016 ESET, All Rights Reserved.