In a comment to a previous post, Finjan have confirmed that Win32/Hexzone.AP is just one of the malicious programs downloaded to machines infected by the unnamed bot  behind the 1.9 million PC botnet they reported: it isn’t the bot itself.  While I think we’d pretty much established that (especially after some very useful input from Atif

Some more information on the Hexzone botnet has come my way, mostly from FireEye’s Atif Mushtaq and Paul Ferguson’s hairdresser (don’t ask!). Atif also mentions the association with ransomware: the malware is installed as a Browser Helper Object (BHO) on the victim’s machine, and hijacks browsing sessions, taking the victim to a page hosting pornography.

There is some chatter about a news item that has been released by Finjan in a blog post this morning.  The news has been picked up by Computer Weekly and USA Today. The un-named bot involved in this story is detected by ESET as Win32/Hexzone.AP.  It is a typical Trojan that reports to a command

I haven’t commented on the recent flurry of interest in the Mac botnet issue, having already mentioned it a few weeks ago here. It’s not as though anyone has shown much interest in the technical aspects, such as the interesting use of the Authorization Services APIs to trick the victim into authorizing installation. Just one of

Some of you may have recently read of researchers discovering a botnet that is using Mac computers. Are you surprised? Well, perhaps if you drink the Apple flavored Kool-Aid you are, but if you understand operating systems at all then this is really not at all surprising. Operating systems are designed to run programs. A

Larry Seltzer, one of the better commentators on malware issues, has picked up on the disparity between ESET’s naming of the latest variant and Symantec’s – they call it W32.Downadup.E. Richard Adhikari (who also seems to pretty clueful) also picked up on the naming issue when we exchanged emails a few days ago. This issue

So now for a little more tech detail on Win32/Conficker.AQ (kindly supplied by Juraj Malcho at our labs in Europe – however, if I get anything wrong, that will almost  certainly be down to my faulty interpretation!) The new variant has two main components. The server component is an .EXE that infects vulnerable PC’s in

If you just got here looking for my blog on Conficker and "blended hoaxes", I’m afraid I just pulled it (temporarily at least) in the light of new data that’s come in since last night: I don’t want to mislead anyone, as it seems that the new Conficker stuff is a lot more active and

Talking of the C-worm ("Will no-one rid me of this troublesome malware?") I mentioned in a blog from a couple of days ago that Jose Nazario supplied some useful information on an issue I was checking into. The issue concerned reports from a Russian news site of Distributed Denial of Service attacks on Russian sites:

If it was the intention of the Conficker gang to create a huge splash, they succeeded. (In fact, it’s quite possible that they’ve attracted more attention than they really wanted.) In any case, it seems that lots of people are looking nervously over their shoulders for any indication that something unpleasant and Conficker-related is about