author
Aleksandr Matrosov
Education: Master of Information Security (2007) at National Nuclear Research University "MEPHI"
Bachelor of Electronics (2001) at Moscow College of Management and New Technologies
Highlights of your career? I have more than ten years of experience with malware analysis, reverse engineering and advanced exploitation techniques. Worked as a security researcher since 2003 for major Russian IT companies. Frequently invited to speak at major security conferences with hardcore technical stuff.
Position and history at ESET? I joined the company in October 2009 as a Senior Malware Researcher and am currently working as Security Intelligence Team Lead. My team researches the most complex threats.
What malware do you hate the most? Stuxnet and Flame families for tons of C++ code.
Favorite activities? Reverse engineering, automation of RE processes and research in modern exploitation techniques.
What is your golden rule for cyberspace? Don't trust anybody, because you don’t know who is really sitting on other side of the communication channel and bad guys can play with your trust.
When did you get your first computer and what kind was it? My first experience with personal computers was with a ZX Spectrum in 1992. My first PC with i486DX4 on the board was purchased in 1995.
Favorite computer game/activity? I like cyberpunk computer game series as System Shock and Deus Ex. But lately my favorite computer game has been IDA Pro disassembler ;)
The mysterious Avatar rootkit, detected by ESET as Win32/Rootkit.Avatar, appears to reflect a heavy investment in code development, with an API and a SDK available, plus an interesting abuse of Yahoo Groups for C&C communications.
Introducing a detailed analysis of Win32/Gapz malware in a new white paper titled: Mind the Gapz: The most complex bootkit ever analyzed?
Aleksandr Matrosov reveals changes in banking Trojan Carberp relating to Java/Spy.Banker (AgentX.jar) and gaining remote access using legitimate software as backdoor components.
Technical analysis of Power Loader, a special bot builder for making downloaders for other malware families and yet another example of specialization and modularity in malware production.
A deep dive into Win32/Theola, one of the most malicious components of the notorious bootkit family, Win32/Mebroot.FX. Theola uses malicious Chrome browser plugins to steal money.
Analysis of malicious code dubbed Win32/Caphaw (a.k.a. Shylock) attacking major European banks, with ability to automatically steal money when the user is actively accessing his banking account.
At the beginning of January 2013, we started tracking the interesting Win32/Redyms trojan family. Redyms is notable for changing search results from popular search engines on infected machines.
Win32/Gapz has a new technique for code injection and a new VBR infection method. The dropper has many tricks for bypassing detection by security software.
Win32/Spy.Ranbyus shows how it is possible to bypass payment transaction signing/authentication with smartcard devices and has started to modify java code in one of the most popular remote banking systems (RBS) in the Ukraine.
Analysis of the Olmasco bootkit: a TDL4 variation with an interesting approach to dropper technology
