A few months ago on this blog I described PowerLoader functionality – including an interesting way for privilege escalation into the explorer.exe system process. The leaked PowerLoader code is also used in other malware families.
ESET researchers Aleksandr Matrosov and Eugene Rodionov just gave a talk on Defeating x64: Modern Trends of Kernel-Mode Rootkits
I just saw an article by Mathew Schwartz for Information Week focused on a series of articles by Aleksandr Matrosov, Eugene Rodionov and myself for Infosec Institute. The articles are actually based on previous analyses of TDL3 and TDL4 by Aleksandr and Eugene, but even if you’ve seen those, you might find the aggregation of older
The mysterious Avatar rootkit, detected by ESET as Win32/Rootkit.Avatar, appears to reflect a heavy investment in code development, with an API and a SDK available, plus an interesting abuse of Yahoo Groups for C&C communications.
I read a story today called “Give me your money, or your computer gets it” at http://redtape.msnbc.com/2010/01/turning-hijacked-computers-into-cash-is-still-hard-work-for-most-computer-criminals-theyve-got-to-trick-the-infected-pc-into.html. While the story does offer some practical advice, it misses some critical points and gets one thing a bit wrong. The story actually talks about a couple of different “ransom” attacks. There is the case where your data
The purpose of this blog is to deliver technical details of an as-yet minimally documented malware that has made headlines in Poland.
ESET has discovered a Linux variant of the KillDisk component that renders Linux machines unbootable, while encrypting files and requesting a large ransom at the same time.
A hacker has published an extensive list of Adobe Reader and Windows vulnerabilities based on his research into a relatively obscure area of font management.
The Operation Buhtrap campaign targets a wide range of Russian banks, used several different code signing certificates and implements evasive methods to avoid detection.
In this post, we lift the veil on Casper – another piece of software that we believe to have been created by the same organization that is behind Babar and Bunny.
Two Flash vulnerabilities that were fixed by Adobe 2 weeks ago are now being used in exploit kits. This is in addition to a third vulnerability, CVE-2014-0556, that was patched in September and that has also been added to Nuclear EK last week.