Nowadays, .NET samples are increasingly common, necessitating specialized techniques for processing and analysis, especially when obfuscation is used: .NET packers have many tricks up their sleeves, but fortunately we do too.
This paper, presented at the 2014 AVAR conference, looks at the difficulties and possibilities of implementing cooperative initiatives for teaching computer hygiene in a complex 21st century threatscape.
This paper, presented at AVAR 2013, considers the myths about the capabilities of anti-malware technology and demonstrates that reports of its death have been greatly exaggerated.
This paper for Virus Bulletin 2013 considers the special challenges that face security product testers when they test products specific to OS X, and the further implications for testing security products on smartphone operating systems. First published in Virus Bulletin 2013 Conference Proceedings*
A presentation from the CARO workshop in May 2013, looking at the technology that makes Win32/Gapz arguably the most complex bootkit to date.
Presented at the Virus Bulletin 2012 conference in September, this paper considers the pros and cons of the BYOD trend, potential attack vectors, and advice on countermeasures. First published in Virus Bulletin 2012 Conference Proceedings*
Presented at the Virus Bulletin 2012 conference in September, this paper introduces the main capabilities and features of Win32/Dorkbot and considers why and how Win32/Dorkbot’s activity in Latin America differs from the rest of the world. First published in Virus Bulletin 2012 Conference Proceedings*
A comprehensive analysis of the evolution of the Festi botnet, its features, its networking protocol, and the ways in which it tries to protect itself from detection. As presented at the AVAR 2102 conference in Hang Zhou.
Technical and in-depth analysis of the implementation of hidden encrypted storage, as used by complex threats currently in the wild including TDL4, Carberp and ZeroAccess. First published in Virus Bulletin 2012 Conference Proceedings*
Presented at the Cybercrime Forensics Education & Training Conference in September 2012, this paper looks at the support scam problem from a forensic point of view.
Presented at the Virus Bulletin 2012 conference in September, this is a comprehensive consideration of the ongoing evolution of the PC telephone support scam. First published in Virus Bulletin 2012 Conference Proceedings*
The use and misuse of public multi-scanner web pages that check suspicious files for possible malicious content, and why they’re no substitute for comparative testing.
Presented at the 5th Cybercrime Forensics Education & Training (CFET 2011) Conference in September 2011
A paper describing the functionality and P2P protocol of Win32/Kelihos, its evolution and its points of similarity to Win32/Nuwar (Storm) and Win32/Waledac.
First published in Virus Bulletin 2011 Conference Proceedings*