Author
Pierre-Marc Bureau
Pierre-Marc Bureau
Security Intelligence Program Manager
Go to latest posts

Education? Master Degree in Computer Engineering.

Position and history at ESET? Security Intelligence Program Manager.

What malware do you hate the most? The ones written in VB and Delphi.

Favorite activities? Rock climbing, snowboarding, hiking.

What is your golden rule for cyberspace? Apply the same caution in cyberspace and in real life.

When did you get your first computer and what kind was it? 1988 – Apple II.

Favorite computer game/activity? Losing at Capture the Flag competitions.

Waledac is Back!

The Waledac botnet has been activated and it is now sending spam promoting videos of Independence Day, even if we are only July 3rd. They are using multiple web pages with titles like “Fourth of July Fireworks Shows”. Users wishing to view the video are asked to click an image that returns an executable and

Beware of Independence Day Scams

Researchers at ESET have reliable intelligence that the Waledac botnet is currently being prepared for a spam campaign around the Independence Day theme. They have registered at least 18 domain names all related to the theme of video, fireworks, and Independence Day. The criminals behind Waledac are preparing to start sending spam with links to

Everybody loves Facebook

Facebook has been around for years and it has constantly been gaining in popularity.  Part of the reason for this social network site’s success is that it represents a gold mine of information for employers, marketers, journalists, and, of course, cyber criminals.  There are plenty of examples of phishing attacks and other scams on this

Smaller Conferences are the Best

In the security community, the beginning of the summer is the time of the year when most conferences are held.  In the last couple of days, there has been the CARO workshop, the AMTSO meeting and the EICAR conference.  Numerous ESET employees have attended each of these gatherings.  In my opinion, the best event so

Another Big Botnet

There is some chatter about a news item that has been released by Finjan in a blog post this morning.  The news has been picked up by Computer Weekly and USA Today. The un-named bot involved in this story is detected by ESET as Win32/Hexzone.AP.  It is a typical Trojan that reports to a command

Win32/Waledac for Valentine’s Day

As Valentine’s Day is approaching the criminals behind Win32/Waledac have increased their activity. The Valentine campaign started some time ago but the interesting part is only starting for us.  The Waledac botnet has been using fast flux for some time now.  This means that the IP addresses of the websites used to distribute this malware

Malware Trying to Avoid Some Countries

There are different techniques that can be used by a program to identify in which country it has been installed.  It can check for time zone information, public IP addresses or even domain names.  Lately, we have seen two different malware families trying to discover their geographic location in an effort to avoid infecting PCs

Fake Holiday eCards: Are You Surprised?

Yesterday, we started to receive reports of emails pretending to carry links to holiday cards.  These emails contain a link that points to a file named ecard.exe.  Of course, this executable is not a seasonal holiday card but malware.  The reason this wave of malware has attracted our attention is that it is very similar

From Fake to Subtle

After seeing so many fake antivirus programs lately, it is interesting to take a look at other types of threats.  Yesterday, we received an example of malware that tries to be very subtle about its installation process.  The malware spreads through email.  After infecting a computer, it will monitor the mailbox of its victim and

A Closer Look at Gimmiv.A

As stated previously by Randy, a new vulnerability affecting the Windows operating system from Microsoft has recently been discovered and has been patched Yesterday by an out of cycle patch.  This vulnerability has been exploited by attackers to install a trojan horse on victim computers.  The name of this trojan is Gimmiv.A.  This blog post

Wave of Malicious PDFs

For the last couple of weeks, we have been seeing a wave of malicious PDFs crafted to exploit security flaws in PDF reader software.  For the last two weeks alone, we have detected more than 25 000 attacks involving this type of file.  Attackers are exploiting two different vulnerabilities in Adobe Acrobat Reader to execute

A Deeper Look at Win32/Inject.NBL

Late Monday, we received samples of a malware that spreads through instant messaging.  Detection was quickly added for this threat and David gave a nice summary of the events in a blog post. When analyzing this binary, we found out that Win32/Inject.NBL has a couple of interesting characteristics.  First of all, we were able to

Beware of Fake Invoices

Over the last two weeks, we have seen an increase of fake e-mails pretending to contain invoices for various companies including UPS, Fedex and airlines from around the globe.  Subject of such e-mails include “Fedex tracking number 1234567890” or “E-ticket #1234567890”.  The body of the e-mail states that the recipient’s credit card has been charged

Analysis of some Mobile Malware

With the release of ESET’s Mobile Antivirus, a security solution for smart phones, I started asking myself about mobile threats. While there is not as much malicious software attacking mobile platforms as exists in the desktop world, I was able to find some interesting samples to analyze. The following is an analysis of the WinCE/Brador.A

Rustock.C – kernel mode protector (short analysis)

In the past few weeks there have been many rumors about Rustock.C: many people have talked how hard it is to process, and many people have also complained about the uselessness of a replicant sample made publicly available (MD5 00430470e6754f082b6c2c19d022caea). Actually, I can definitely say that this sample is… very useful. With deep analysis we

Malware Affiliation Programs

If you are a frequent reader of this blog, it is not news to you that malware authors are moving away from a quest for fame toward profit driven operations. Malware authors and controllers are moving to a free market organization where each group has a very precise area of expertise and “outsource” other tasks

Nuwar Shifts to Fake Codecs

It has only been a day since the last strategy shift from the Nuwar gang and they have already gone away from the love letter theme.  By monitoring computers infected with Nuwar, we can keep track of their social engineering schemes.  They are now using a common theme used by the Zlob threat for a

Nuwar on Blogspot

Since Yesterday evening, the gang behind Nuwar (also called the Storm Worm), have registered a number of blogspot accounts to spread their malware. Clicking on an image will redirect the browser to an executable called love.exe while clicking on the link in the text below the image will download a file named withlove.exe. Both executables

April Storm!

The gang behind Storm missed Easter but they were not going to miss two opportunities in a row! We are witnessing a new Storm campaign around the theme of April Fool’s day. Electronic mails are being sent with titles like “Happy April Fool’s Day.”.The body of the message contains a small sentence and a link.

CanSecWest 2008

CanSecWest is already over!  This year’s conference was great.  There has been a good mix of talks touching various security related topics including hardware, software and humans. Tom Liston and Sherri Davidoff presented on memory forensics.  They demonstrated that inspecting the RAM of a computer after its reboot can yield a gold mine of information

More Nuwar for the New Year

The gang behind the Nuwar threat (also called Storm Worm or Zhelatin) has been very active during the holidays.  They have been sending numerous waves of spam in an attempt to infect as many users as possible. The gang is taking advantage of the fact that a lot of researchers are taking some time off

Beware of Imposters

There seems to be a common belief that malware only lands on a computer through e-mails. This is far from being the case. Our ThreatSense statistics shows that a lot of Internet users fall for social engineering on web pages and are tricked into installing fake programs. As David Harley pointed out on his blog

New Nuwar for Christmas

At midnight GMT time, we started receiving reports of a new wave of Nuwar e-mails.  The e-mails contain the following text trying to convince a user into visiting a malicious website: This Christmas, we want to show you something you will really enjoy. This might not be fun for the whole family, but I bet

Good Bye Seoul!

This year’s Association of Antivirus Asia Research (AVAR) conference was held in Seoul, Korea.  The conference ended this evening after two days of presentations and discussions. The conference was a good opportunity to learn more about specific threats targeting Asia.  We learned that online game information stealing is prevalent in this part of the World

PaChat Targeted Attack in Canada

At the end of last week, we were made aware of a new targeted attack. The social engineering strategy and malware construction caught our attention because of its sophistication. The threat came as an e-mail addressed to a director at a company based in Canada. The e-mail was addressed with the full name, street address

Bot Stories

Computer experts are familiar with the .com file type. The .com extension is often used by binary program files under MS-DOS. Why is this important? Because anything that has the ‘.com’ extension on a windows system is considered as an executable file and is executed when a user doubles click on it. The same is

Safe Halloween!

Today, we are celebrating Halloween and malware authors want to be part of the fun.  They love to disguise and they love zombies even more.  To celebrate Halloween, the operators of the Storm Worm have launched a new e-mail campaign to attract users to their malicious pages and infect their systems with the latest variant

Nuwar Traffic Analysis

Nuwar, also known as the Storm Worm, is a very popular threat in the antivirus industry this year.  This threat has attracted a lot of attention because of its sophistication and the strenuous efforts made by its authors to maintain a strong botnet.  The botherders who operate the Nuwar botnet control infected PCs with a

Virus Bulletin 2007

The antivirus industry sometimes has a reputation of being secretive or even aggressive to newcomers.  Only a small visit at the Virus Bulletin conference that is being held in Vienna this year is all it takes to convince anyone of the opposite.  It is impressive to see how much information is exchanged during the three

Honor Among Thieves

Yesterday, we were shooting a report for a television network in Canada.  Part of the report concerns the underground economy.  We decided to connect to an Internet Relay Chat (IRC)  server to see how much stolen credit card data is sold.  While looking at the never ending flow of people announcing their PayPal, egold and

Electronic Jihad

Last week, we came across a very interesting piece of software that mixes freedom of speech, network security, and religion.  This software is called “e-Jihad” and is freely distributed on the Internet.  This software is used to let the owner of a computer give control of his system to the creator of e-Jihad.  The makers

Everybody loves me!

A lot of people came back to work on Monday thinking they had a lot of new friends.  During the weekend, we observed a very high volume of fake greeting card being sent by e-mail.  Of course, these cards don’t come from anonymous friends but from anonymous malware authors wanting to increase the size of

Follow us

Copyright © 2017 ESET, All Rights Reserved.