Author
Pierre-Marc Bureau
Pierre-Marc Bureau
Security Intelligence Program Manager
Go to latest posts

Education? Master Degree in Computer Engineering.

Position and history at ESET? Security Intelligence Program Manager.

What malware do you hate the most? The ones written in VB and Delphi.

Favorite activities? Rock climbing, snowboarding, hiking.

What is your golden rule for cyberspace? Apply the same caution in cyberspace and in real life.

When did you get your first computer and what kind was it? 1988 – Apple II.

Favorite computer game/activity? Losing at Capture the Flag competitions.

Operation Windigo – the vivisection of a large Linux server-side credential-stealing malware campaign

Our report titled “Operation Windigo – the vivisection of a large Linux server-side credential-stealing malware campaign” details our analysis of a set of malicious programs that infect servers and desktop PCs, and send nearly 500,000 web users to malicious content daily.”

Win32/Napolar – A new bot on the block

There is a new bot on the block. ESET identifies it as Win32/Napolar while its author calls it solarbot. This piece of malware came to our attention mid-August because of its interesting anti-debugging and code injection techniques.

Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole

Analysis of a malicious backdoor serving Blackhole exploit pack found on Linux Apache webserver compromised by malware dubbed Linux/Cdorked.A, together with remediation tool and techniques.

Malicious Apache module used for content injection: Linux/Chapro.A

More than half of all web servers on the Internet use Apache, so when we discovered a malicious Apache module in the wild last month, we were understandably concerned.

Win32/Morto – Made in China, now with PE file infection

In July 2012, our virus laboratory came across what we first thought was a new family of malware. The threat spread by infecting Portable Executable or PE files used by Windows, but this malware also infected systems through remote desktop and network shares. After further analysis, we realized we were dealing with a new version

Flashback Wrap Up

Six months ago, Flashback was attracting a lot of attention from researchers and media due to its wide spread and interesting features. Since then, we have witnessed its operator abandoning control of the botnet by shutting down its latest command and control server. This happened in May this year. The number of infected systems has

Dancing Penguins: a case of organized Android pay-per-install

For years, cyber criminals have organized their operations and traded resources through discussion forums and auction sites. One popular item to trade is access to virus infected PCs for cash. These trading schemes are often called pay-per install (PPI) programs. We have recently started an investigation on a new type of pay-per install program, this

Fighting the OSX/Flashback Hydra

The biggest Mac botnet ever encountered, the OSX/Flashback botnet, is being hit hard. On April 12th, Apple released a third Java update since the Flashback malicious code outbreak. This update includes a new tool called MRT (Malware Removal Tool) which allows Apple to quickly push malware removal code to their user base. The first mission

Updates on OSX/Tsunami.A, a Mac OS X Trojan

Yesterday, ESET announced the discovery of a new threat against the Apple Mac OS X platform. Today, we have found a new version of the same threat. The new version is similar to the previous version with two important differences. The first addition to this threat is that it now implements persistence on an infected

Win32/Kelihos, Recruiting in a Country Near You

As part of our botnet monitoring initiative, we recently stumbled across an interesting piece of news. The Win32/Kelihos botnet, a likely successor to Win32/Waledac and Win32/Nuwar (the infamous Storm worm), is now sending spam to recruit money mules. We captured two different spam templates used by the bot to generate spam messages. As shown in

The co-evolution of TDL4 to bypass the Windows OS Loader patch (KB2506014 )

Our colleagues Aleksandr Matrosov and Eugene Rodionov are tracking the evolution of TDL4 (also known as Win32/Olmarik). The following is a report on the latest TDL4 update, released last week. In our previous blog post, we described how the latest Microsoft Security Update modified the Windows OS loader (winloader.exe) to fix a vulnerability that allowed

The End of Win32/Swizzor?

It appears that the group behind the Win32/Swizzor malware family has put an end to their operation. This malware family has been around since 2002. Security companies have seen hundreds of thousands of unique binaries classified as this family, which was installed on PCs through "affiliate" programs. The malware is used to display unsolicited advertisements

IM to Spread Malware: the Butterfly Effect

This weekend, an unnamed worm forced Microsoft to temporarily suspend active links  in Live Messenger 2009, in order to prevent the aggressive worm from spreading further. This is quite a surprising measure, because worms spreading through Instant Messaging (IM) such as Skype, Yahoo! Messenger and Microsoft Live Messenger are not new at all! For example,

New malicious LNKs: here we go…

These new families represent a major transition: Win32/Stuxnet demonstrates a number of novel and interesting features apart from the original 0-day LNK vulnerability, such as its association with the targeting of Siemens control software on SCADA sites and the use of stolen digital certificates, However, the new malware we’re seeing is far less sophisticated, and suggests bottom feeders seizing on techniques developed by others. Peter Kosinar comments:

Win32/Stuxnet Signed Binaries

On July 17th, ESET identified a new malicious file related to the Win32/Stuxnet worm. This new driver is a significant discovery because the file was signed with a certificate from a company called "JMicron Technology Corp".  This is different from the previous drivers which were signed with the certificate from Realtek Semiconductor Corp.  It is

Swizzor for Dummies

Win32/Swizzor is a very prevalent—and old—malware family having been around since at least 2002.  Over the years, ESET has collected millions of samples related to this family and we still receive hundreds of new ones every day.  Over the last two years, Win32/Swizzor has frequently shown up in our top ten lists of the most

Unpatched Java Deployment Kit Vulnerability Exploited in the Wild

 Last Friday, Tavis Ormandy published details about a vulnerability in the Java Deployment Toolkit. The vulnerability allows an attacker to download and execute arbitrary Java code on a vulnerable system. We released generic detection for attacks against this vulnerability, the exploitation code being detected as "JS/Exploit.JavaDepKit.A trojan". Since yesterday, we are starting to see this vulnerability

“Aurora” exploit code: from Targeted Attacks to Mass Infection.

Last Thursday, Microsoft released an out-of-band update to fix the latest vulnerability in Internet Explorer.  Since then, malware operators have been exploiting this vulnerability to install malware on thousands of PCs.  So far, we have detected more than 650 different versions of the exploit code which is detected as Trojan.JS/Exploit.CVE-2010-0249 by ESET antivirus.  We have

SEO Poisoning: What’s in the News Today?

Search engines are free, powerful and efficient tools. But the same tools can be used to exploit the unsuspecting visitor who trusts the search results. Malicious SEO (Search Engine Optimization) is one such tactic where criminals spread malware through infected websites and poisoned search results. (This is sometimes referred to as index hijacking or SEO

More Infections = A Lot More Malware

 To get a better understanding of infection trends over the last few months, the ESET research team has analyzed data compiled by our online scanner. This tool is available freely from ESET’s website at http://www.esetonlinescan.com and can be accessed by anyone to scan their system without having to install our product. Data from our online

More Nuwar for the New Year

The gang behind the Nuwar threat (also called Storm Worm or Zhelatin) has been very active during the holidays.  They have been sending numerous waves of spam in an attempt to infect as many users as possible. The gang is taking advantage of the fact that a lot of researchers are taking some time off

Beware of Imposters

There seems to be a common belief that malware only lands on a computer through e-mails. This is far from being the case. Our ThreatSense statistics shows that a lot of Internet users fall for social engineering on web pages and are tricked into installing fake programs. As David Harley pointed out on his blog

New Nuwar for Christmas

At midnight GMT time, we started receiving reports of a new wave of Nuwar e-mails.  The e-mails contain the following text trying to convince a user into visiting a malicious website: This Christmas, we want to show you something you will really enjoy. This might not be fun for the whole family, but I bet

Good Bye Seoul!

This year’s Association of Antivirus Asia Research (AVAR) conference was held in Seoul, Korea.  The conference ended this evening after two days of presentations and discussions. The conference was a good opportunity to learn more about specific threats targeting Asia.  We learned that online game information stealing is prevalent in this part of the World

PaChat Targeted Attack in Canada

At the end of last week, we were made aware of a new targeted attack. The social engineering strategy and malware construction caught our attention because of its sophistication. The threat came as an e-mail addressed to a director at a company based in Canada. The e-mail was addressed with the full name, street address

Bot Stories

Computer experts are familiar with the .com file type. The .com extension is often used by binary program files under MS-DOS. Why is this important? Because anything that has the ‘.com’ extension on a windows system is considered as an executable file and is executed when a user doubles click on it. The same is

Safe Halloween!

Today, we are celebrating Halloween and malware authors want to be part of the fun.  They love to disguise and they love zombies even more.  To celebrate Halloween, the operators of the Storm Worm have launched a new e-mail campaign to attract users to their malicious pages and infect their systems with the latest variant

Nuwar Traffic Analysis

Nuwar, also known as the Storm Worm, is a very popular threat in the antivirus industry this year.  This threat has attracted a lot of attention because of its sophistication and the strenuous efforts made by its authors to maintain a strong botnet.  The botherders who operate the Nuwar botnet control infected PCs with a

Virus Bulletin 2007

The antivirus industry sometimes has a reputation of being secretive or even aggressive to newcomers.  Only a small visit at the Virus Bulletin conference that is being held in Vienna this year is all it takes to convince anyone of the opposite.  It is impressive to see how much information is exchanged during the three

Honor Among Thieves

Yesterday, we were shooting a report for a television network in Canada.  Part of the report concerns the underground economy.  We decided to connect to an Internet Relay Chat (IRC)  server to see how much stolen credit card data is sold.  While looking at the never ending flow of people announcing their PayPal, egold and

Electronic Jihad

Last week, we came across a very interesting piece of software that mixes freedom of speech, network security, and religion.  This software is called “e-Jihad” and is freely distributed on the Internet.  This software is used to let the owner of a computer give control of his system to the creator of e-Jihad.  The makers

Everybody loves me!

A lot of people came back to work on Monday thinking they had a lot of new friends.  During the weekend, we observed a very high volume of fake greeting card being sent by e-mail.  Of course, these cards don’t come from anonymous friends but from anonymous malware authors wanting to increase the size of

Follow us

Copyright © 2017 ESET, All Rights Reserved.