search result

The Powerloader 64-bit update based on leaked exploits

A few months ago on this blog I described PowerLoader functionality – including an interesting way for privilege escalation into the explorer.exe system process. The leaked PowerLoader code is also used in other malware families.

Bootkit Threat Evolution in 2011

ESET researchers examine the evolution of bootkit threats targeting 64-bit Windows over 2011.

Hasta La Vista, Bootkit: Exploiting the VBR

During the first half of 2011 we have witnessed a significant growth in malware targeting 64-bit platforms, the most interesting examples of which are bootkits.

Bypassing code signing policy: welcome to the (Eko)party

ESET researchers Aleksandr Matrosov and Eugene Rodionov just gave a talk on Defeating x64: Modern Trends of Kernel-Mode Rootkits

TDL4 revisited

I just saw an article by Mathew Schwartz for Information Week focused on a series of articles by Aleksandr Matrosov, Eugene Rodionov and myself for Infosec Institute. The articles are actually based on previous analyses of TDL3 and TDL4 by Aleksandr and Eugene, but even if you’ve seen those, you might find the aggregation of older

Rovnix bootkit framework updated

Changes in the threatscape as regards exploitation of 64-bit systems, exemplified by the latest modifications to the Rovnix bootkit.

ZeroAccess: code injection chronicles

New versions of the Zeroaccess bootkit demonstrate alternative approaches to distribution and to bootkit infection on 32- and 64-bit Windows.

TDL4 reloaded: Purple Haze all in my brain

A new TDL4 sample includes novel privilege escalation mechanisms in the dropper and changes to the hidden storage system.

Evolution of Win32Carberp: going deeper

This month we discovered new information on a new modification in the Win32/TrojanDownloader.Carberp trojan family.

Mysterious Avatar rootkit with API, SDK, and Yahoo Groups for C&C communication

The mysterious Avatar rootkit, detected by ESET as Win32/Rootkit.Avatar, appears to reflect a heavy investment in code development, with an API and a SDK available, plus an interesting abuse of Yahoo Groups for C&C communications.

Anti-Extortion 101

I read a story today called “Give me your money, or your computer gets it” at http://redtape.msnbc.com/2010/01/turning-hijacked-computers-into-cash-is-still-hard-work-for-most-computer-criminals-theyve-got-to-trick-the-infected-pc-into.html. While the story does offer some practical advice, it misses some critical points and gets one thing a bit wrong. The story actually talks about a couple of different “ransom” attacks. There is the case where your data

How to configure WinDbg for kernel debugging

In this post, Matías Porolli looks at how to configure an environment with WinDbg and virtual machines in order to debug drivers or code running in Windows kernel space.

Demystifying targeted malware used against Polish banks

The purpose of this blog is to deliver technical details of an as-yet minimally documented malware that has made headlines in Poland.

KillDisk now targeting Linux: Demands $250K ransom, but can’t decrypt

ESET has discovered a Linux variant of the KillDisk component that renders Linux machines unbootable, while encrypting files and requesting a large ransom at the same time.

Critical vulnerabilities in Windows and Adobe Reader exposed by hacker

A hacker has published an extensive list of Adobe Reader and Windows vulnerabilities based on his research into a relatively obscure area of font management.

Operation Buhtrap, the trap for Russian accountants

The Operation Buhtrap campaign targets a wide range of Russian banks, used several different code signing certificates and implements evasive methods to avoid detection.

Casper Malware: After Babar and Bunny, Another Espionage Cartoon

In this post, we lift the veil on Casper – another piece of software that we believe to have been created by the same organization that is behind Babar and Bunny.

Linux haunted by Ghost vulnerability

Security researchers have found a vulnerability inherent to a widely used component in most versions of Linux, reports Computer World.

Two recently patched Adobe Flash vulnerabilities now used in Exploit Kits

Two Flash vulnerabilities that were fixed by Adobe 2 weeks ago are now being used in exploit kits. This is in addition to a third vulnerability, CVE-2014-0556, that was patched in September and that has also been added to Nuclear EK last week.

Bootkits, Windigo, and Virus Bulletin

ESET research on Operation Windigo received an award at Virus Bulletin 2014. Our research on bootkits was also well received, and is now available publicly.

Copyright © 2017 ESET, All Rights Reserved.