Author
Robert Lipovsky
Robert Lipovsky
Malware Researcher

Education? Master’s Degree in Computer Science from the Slovak University of Technology in Bratislava

Highlights of your career? Giving presentations at several security conferences, including EICAR, CARO, and Virus Bulletin.

Position and history at ESET? Malware Researcher since 2007, currently holds the position Security Intelligence Team Lead.

What malware do you hate the most? Grayware/PUAs – when malware authors complain about detection and try to convince you they’re not malware.

Favorite activities? Snowboarding, listening to music, playing guitar…

What is your golden rule for cyberspace? Be reasonably paranoid..

When did you get your first computer and what kind was it? During primary school. It was an Intel 8088 palmtop, used it for programming in GW-BASIC 

Favorite computer game/activity? Project I.G.I.

More Info

Corkow: Analysis of a business-oriented banking Trojan

Win32/Corkow is banking malware with a focus on corporate banking users. We can confirm that several thousand users, mostly in Russia and Ukraine, were victims of the Trojan in 2013. In this post, we expand on its unique functionality.

Cryptolocker 2.0 – new version, or copycat?

Last month we discovered filecoder malware which called itself “Cryptolocker 2.0”. Naturally, we wondered if this is a newer version of the widespread ransomware from the creators of the first. We look at the details that hint that it might have been created by some other, unknown, cybercrime gang.

New Hesperbot targets: Germany and Australia

In September we informed about a new banking trojan called Hesperbot (detected as Win32/Spy.Hesperbot). The perpetrators responsible for the threat are still active – November has been particularly eventful. In this post, we’ll give an update on the situation and malware developments.

Filecoder: Holding your data to ransom

Trojans that encrypt user files and try to extort a ransom from the victim in exchange for a decryptor utility are nothing new. We’ve noted a significant increase in Filecoder activity over the past few summer months – in this blog post we address the questions we’re getting about this issue.

Hesperbot – technical analysis: part 2/2

In this 3rd Hesperbot blog post we’ll look at the most intriguing part of the malware – the way it handles network traffic interception.

Hesperbot – Technical analysis part 1/2

Win32/Spy.Hesperbot is a new banking trojan that has been targeting online banking users in Turkey, the Czech Republic, Portugal and the United Kingdom. For more information about its malware spreading campaigns and victims, refer to our first blog post. In this post we’ll cover the technical details of the malware, including the overall architecture, as well as the mobile component.

Hesperbot – A New, Advanced Banking Trojan in the Wild

A new and effective banking trojan has been discovered targeting online banking users in Turkey, the Czech Republic, Portugal and the United Kingdom. It uses very credible-looking phishing-like campaigns, related to trustworthy organizations, to lure victims into running the malware.

More malware targeting crypto-currencies: Litecoin stealing Trojan found

Bitcoin is not the only crypto-currency targeted by malware now that a Trojan designed to steal Litecoins has been discovered. In this post we review recent discoveries in malware impacting digital money.

Tax returns: Slovakian spyware campaign

ESET’s Security Research Lab details a malware-spreading campaign leveraging the deadline for tax returns in Slovakia and examines a case of infection where a bank’s two-factor authentication prevented financial loss.

PokerAgent botnet stealing over 16,000 Facebook credentials

The ‘PokerAgent’ botnet, which we have tracked in 2012, was designed to harvest Facebook log-on credentials, also collecting information on credit card details linked to the Facebook account and Zynga Poker player stats, presumably with the intention to mug the victims.

Java 0-Day Exploit CVE-2013-0422

The infamous exploit packs Blackhole and Nuclear Pack now feature a new zero-day Java exploit that exploits the Java vulnerability CVE-2013-0422. The latest version of Java 7 Update 10 is affected. Malware spreading through drive-by-downloads often utilizes exploit packs, which are able to serve malware variants without any user interaction, as opposed to other techniques

Quervar Induc.C reincarnate?

Win32/Quervar (a.k.a Dorifel, XDocCrypt) is a virus family that has been in the news recently, especially in the Netherlands. It has been reported to be causing havoc on computers of several notable Dutch institutions. In our analysis, we provide additional technical details about the workings of the virus and compare it to another virus, the

ACAD/Medre.A Technical Analysis

For the story behind the suspected industrial espionage, where ACAD/Medre.A was used, refer to Righard Zwienenberg's blog post. For technical details from analysing the worm's source code, read on. ACAD/Medre.A is a worm written in AutoLISP, a dialect of the LISP programming language used in AutoCAD. Whilst we classify it as a worm, due to

Vulnerable WordPress Leads to Security Blog Infection

Even visiting security-oriented websites can sometimes be risky. If you’ve visited the security blog zerosecurity.org this month and you’re also a user of ESET’s security products, you might have encountered an anti-virus alert such as this one: The detection names may vary. Different variants of the following “generic families” were detected on the compromised websites on

Modern viral propagation: Facebook, shocking videos, browser plugins

Fraudsters continue to innovate their scam propagation methods. Again using Facebook and a pretense of a shocking video, they also utilize browser plugins to execute malicious scripts. We also see how the malware scene is intertwined, when the user is directed to a dubious Potentially Unwanted Application. Facebook auto-like scams have been commonplace on the

Made in the Czech Republic: a PHP Autorun worm

Recently, a new data-stealing worm caught our attention. The reason why it stands out from many similar amateur creations is that its author is most probably Czech, as the text strings, variable and function names used by the malware suggest. The Czech text above is displayed by the worm inside a console window and translates

Linux Tsunami hits OS X

We’ve just come across an IRC controlled backdoor that enables the infected machine to become a bot for Distributed Denial of Service attacks. The interesting part about it is that it’s a Mach-O binary – targeting Mac OS X. ESET’s research team compared this to samples in our malware collection and discovered that this code

Virus Bulletin 2011: Fake but free…

ESET had quite a strong representation at Virus Bulletin this year in Barcelona, as David Harley mentioned in his post prior to the conference. On the first day, Pierre-Marc Bureau presented his findings about the Kelihos botnet, David Harley and AVG’s Larry Bridwell discussed the usefulness and present state of AV testing, and to finish

German Policeware: Use the Farce…er, Force…Luke

On Saturday, another controversial report of a “government trojan” appeared. This time it is the German government that has been accused by the European hacker club Chaos Computer Club (CCC) of using “lawful interception” malware. Hence, “Bundestrojaner” (Federal Trojan), though that name is normally applied to the legal concept that allows German police to make

Towering Qbot Certificates

New stolen digital certificates are used by the multi-purpose backdoor Qbot. The criminals behind the Qbot trojan are certainly not inactive. As I mentioned in a blog post earlier this month, after a quiet summer we have seen a batch of new Qbot variants. An interesting fact is that the malicious binaries were digitally signed.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.