Author
Aleksandr Matrosov
Aleksandr Matrosov
Security Intelligence Team Lead

Education: Master of Information Security (2007) at National Nuclear Research University "MEPHI"
Bachelor of Electronics (2001) at Moscow College of Management and New Technologies

Highlights of your career? I have more than ten years of experience with malware analysis, reverse engineering and advanced exploitation techniques. Worked as a security researcher since 2003 for major Russian IT companies. Frequently invited to speak at major security conferences with hardcore technical stuff.

Position and history at ESET? I joined the company in October 2009 as a Senior Malware Researcher and am currently working as Security Intelligence Team Lead. My team researches the most complex threats.

What malware do you hate the most? Stuxnet and Flame families for tons of C++ code.

Favorite activities? Reverse engineering, automation of RE processes and research in modern exploitation techniques.

What is your golden rule for cyberspace? Don't trust anybody, because you don’t know who is really sitting on other side of the communication channel and bad guys can play with your trust.

When did you get your first computer and what kind was it? My first experience with personal computers was with a ZX Spectrum in 1992. My first PC with i486DX4 on the board was purchased in 1995.

Favorite computer game/activity? I like cyberpunk computer game series as System Shock and Deus Ex. But lately my favorite computer game has been IDA Pro disassembler ;)

More Info

The Powerloader 64-bit update based on leaked exploits

A few months ago on this blog I described PowerLoader functionality – including an interesting way for privilege escalation into the explorer.exe system process. The leaked PowerLoader code is also used in other malware families.

Avatar rootkit: the continuing saga

In this blog post we confirm that the Avatar rootkit continues to thrive in the wild, and disclose some new information about its kernel-mode self-defense tricks. We continue our research into this malware family.

The rise of TOR-based botnets

TOR-based botnets are not a new trend and were already being discussed a few years ago at Defcon 18 (“Resilient Botnet Command and Control with Tor”). But in the last year we’ve been able to confirm some interesting facts concerning the use of these ideas in real-world botnets. This topic was already discussed around the beginning

Mysterious Avatar rootkit with API, SDK, and Yahoo Groups for C&C communication

The mysterious Avatar rootkit, detected by ESET as Win32/Rootkit.Avatar, appears to reflect a heavy investment in code development, with an API and a SDK available, plus an interesting abuse of Yahoo Groups for C&C communications.

Is Gapz the most complex bootkit yet?

Introducing a detailed analysis of Win32/Gapz malware in a new white paper titled: Mind the Gapz: The most complex bootkit ever analyzed?

Carberp: the never ending story

Aleksandr Matrosov reveals changes in banking Trojan Carberp relating to Java/Spy.Banker (AgentX.jar) and gaining remote access using legitimate software as backdoor components.

Gapz and Redyms droppers based on Power Loader code

Technical analysis of Power Loader, a special bot builder for making downloaders for other malware families and yet another example of specialization and modularity in malware production.

How Theola malware uses a Chrome plugin for banking fraud

A deep dive into Win32/Theola, one of the most malicious components of the notorious bootkit family, Win32/Mebroot.FX. Theola uses malicious Chrome browser plugins to steal money.

Caphaw attacking major European banks using webinject plugin

Analysis of malicious code dubbed Win32/Caphaw (a.k.a. Shylock) attacking major European banks, with ability to automatically steal money when the user is actively accessing his banking account.

What do Win32/Redyms and TDL4 have in common?

At the beginning of January 2013, we started tracking the interesting Win32/Redyms trojan family. Redyms is notable for changing search results from popular search engines on infected machines.

Win32/Gapz: steps of evolution

Win32/Gapz has a new technique for code injection and a new VBR infection method. The dropper has many tricks for bypassing detection by security software.

Win32/Spy.Ranbyus modifying Java code in RBS Ukraine systems

Win32/Spy.Ranbyus shows how it is possible to bypass payment transaction signing/authentication with smartcard devices and has started to modify java code in one of the most popular remote banking systems (RBS) in the Ukraine.

Olmasco bootkit: next circle of TDL4 evolution (or not?)

Analysis of the Olmasco bootkit: a TDL4 variation with an interesting approach to dropper technology

Defeating anti-forensics in contemporary complex threats

Alexandr Matrosov summarizes the evolution of complex threats using hidden storage, as discussed in his presentation with Eugene Rodionov at Virus Bulletin 2012.

Flamer Analysis: Framework Reconstruction

Aleksandr Matrosov looks at the internal architecture of Win32/Flamer’s mssecmgr.ocx module.

Rovnix.D: the code injection story

Detailed analysis of Rovnix.D reveal updates to the code injection technique employed, allowing multiple injections with a variety of payloads.

Flame, Duqu and Stuxnet: in-depth code analysis of mssecmgr.ocx

Analysis of the Flame worm (Win32/Flamer) reveals some interesting facts about the internal structure of its main module.

Rovnix bootkit framework updated

Changes in the threatscape as regards exploitation of 64-bit systems, exemplified by the latest modifications to the Rovnix bootkit.

Java the Hutt meets CVE-2012-1723: the Evil Empire strikes back

The Java exploit for CVE-2012-1723 is already included in the latest update of the BlackHole exploit kit.

All Carberp botnet organizers arrested

Carberp is a unique case, with all the guys who organized really big botnets and made big profits (millions of US dollars) being arrested.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.