author
Aleksandr Matrosov
Education: Master of Information Security (2007) at National Nuclear Research University "MEPHI"
Bachelor of Electronics (2001) at Moscow College of Management and New Technologies
Highlights of your career? I have more than ten years of experience with malware analysis, reverse engineering and advanced exploitation techniques. Worked as a security researcher since 2003 for major Russian IT companies. Frequently invited to speak at major security conferences with hardcore technical stuff.
Position and history at ESET? I joined the company in October 2009 as a Senior Malware Researcher and am currently working as Security Intelligence Team Lead. My team researches the most complex threats.
What malware do you hate the most? Stuxnet and Flame families for tons of C++ code.
Favorite activities? Reverse engineering, automation of RE processes and research in modern exploitation techniques.
What is your golden rule for cyberspace? Don't trust anybody, because you don’t know who is really sitting on other side of the communication channel and bad guys can play with your trust.
When did you get your first computer and what kind was it? My first experience with personal computers was with a ZX Spectrum in 1992. My first PC with i486DX4 on the board was purchased in 1995.
Favorite computer game/activity? I like cyberpunk computer game series as System Shock and Deus Ex. But lately my favorite computer game has been IDA Pro disassembler ;)
Alexandr Matrosov summarizes the evolution of complex threats using hidden storage, as discussed in his presentation with Eugene Rodionov at Virus Bulletin 2012.
Aleksandr Matrosov looks at the internal architecture of Win32/Flamer’s mssecmgr.ocx module.
Detailed analysis of Rovnix.D reveal updates to the code injection technique employed, allowing multiple injections with a variety of payloads.
Analysis of the Flame worm (Win32/Flamer) reveals some interesting facts about the internal structure of its main module.
Changes in the threatscape as regards exploitation of 64-bit systems, exemplified by the latest modifications to the Rovnix bootkit.
The Java exploit for CVE-2012-1723 is already included in the latest update of the BlackHole exploit kit.
Carberp is a unique case, with all the guys who organized really big botnets and made big profits (millions of US dollars) being arrested.
New versions of the Zeroaccess bootkit demonstrate alternative approaches to distribution and to bootkit infection on 32- and 64-bit Windows.
As soon as Microsoft had released patches for security bulletin MS12-037 (which patched 13 vulnerabilities for Internet Explorer) Google published information (Microsoft XML vulnerability under active exploitation) about a new zero-day vulnerability (CVE-2012-1889) in Microsoft XML Core Services. Sometimes vulnerabilities are discovered at a rate that outpaces the patching process and so a temporary fix
Aleksandr Matrosov and Eugene Rodionov presented their research into “Smartcard vulnerabilities in modern banking malware†at PHDays’2012.
