Pierre-Marc Bureau, Author at WeLiveSecurity

Bio

Pierre-Marc Bureau

Pierre-Marc Bureau

Security Intelligence Program Manager

Education? Master Degree in Computer Engineering.

Position and history at ESET? Security Intelligence Program Manager.

What malware do you hate the most? The ones written in VB and Delphi.

Favorite activities? Rock climbing, snowboarding, hiking.

What is your golden rule for cyberspace? Apply the same caution in cyberspace and in real life.

When did you get your first computer and what kind was it? 1988 – Apple II.

Favorite computer game/activity? Losing at Capture the Flag competitions.

Articles by author

Win32/Morto – Made in China, now with PE file infection

In July 2012, our virus laboratory came across what we first thought was a new family of malware. The threat spread by infecting Portable Executable or PE files used by Windows, but this malware also infected systems through remote desktop and network shares. After further analysis, we realized we were dealing with a new version

Flashback Wrap Up

Six months ago, Flashback was attracting a lot of attention from researchers and media due to its wide spread and interesting features. Since then, we have witnessed its operator abandoning control of the botnet by shutting down its latest command and control server. This happened in May this year. The number of infected systems has

Dancing Penguins: a case of organized Android pay-per-install

For years, cyber criminals have organized their operations and traded resources through discussion forums and auction sites. One popular item to trade is access to virus infected PCs for cash. These trading schemes are often called pay-per install (PPI) programs. We have recently started an investigation on a new type of pay-per install program, this

Fighting the OSX/Flashback Hydra

The biggest Mac botnet ever encountered, the OSX/Flashback botnet, is being hit hard. On April 12th, Apple released a third Java update since the Flashback malicious code outbreak. This update includes a new tool called MRT (Malware Removal Tool) which allows Apple to quickly push malware removal code to their user base. The first mission

Updates on OSX/Tsunami.A, a Mac OS X Trojan

Yesterday, ESET announced the discovery of a new threat against the Apple Mac OS X platform. Today, we have found a new version of the same threat. The new version is similar to the previous version with two important differences. The first addition to this threat is that it now implements persistence on an infected

Win32/Kelihos, Recruiting in a Country Near You

As part of our botnet monitoring initiative, we recently stumbled across an interesting piece of news. The Win32/Kelihos botnet, a likely successor to Win32/Waledac and Win32/Nuwar (the infamous Storm worm), is now sending spam to recruit money mules. We captured two different spam templates used by the bot to generate spam messages. As shown in

The End of Win32/Swizzor?

It appears that the group behind the Win32/Swizzor malware family has put an end to their operation. This malware family has been around since 2002. Security companies have seen hundreds of thousands of unique binaries classified as this family, which was installed on PCs through "affiliate" programs. The malware is used to display unsolicited advertisements

IM to Spread Malware: the Butterfly Effect

This weekend, an unnamed worm forced Microsoft to temporarily suspend active links  in Live Messenger 2009, in order to prevent the aggressive worm from spreading further. This is quite a surprising measure, because worms spreading through Instant Messaging (IM) such as Skype, Yahoo! Messenger and Microsoft Live Messenger are not new at all! For example,

New malicious LNKs: here we go…

These new families represent a major transition: Win32/Stuxnet demonstrates a number of novel and interesting features apart from the original 0-day LNK vulnerability, such as its association with the targeting of Siemens control software on SCADA sites and the use of stolen digital certificates, However, the new malware we're seeing is far less sophisticated, and suggests bottom feeders seizing on techniques developed by others. Peter Kosinar comments:

Win32/Stuxnet Signed Binaries

On July 17th, ESET identified a new malicious file related to the Win32/Stuxnet worm. This new driver is a significant discovery because the file was signed with a certificate from a company called "JMicron Technology Corp".  This is different from the previous drivers which were signed with the certificate from Realtek Semiconductor Corp.  It is

Swizzor for Dummies

Win32/Swizzor is a very prevalent—and old—malware family having been around since at least 2002.  Over the years, ESET has collected millions of samples related to this family and we still receive hundreds of new ones every day.  Over the last two years, Win32/Swizzor has frequently shown up in our top ten lists of the most

Unpatched Java Deployment Kit Vulnerability Exploited in the Wild

 Last Friday, Tavis Ormandy published details about a vulnerability in the Java Deployment Toolkit. The vulnerability allows an attacker to download and execute arbitrary Java code on a vulnerable system. We released generic detection for attacks against this vulnerability, the exploitation code being detected as "JS/Exploit.JavaDepKit.A trojan". Since yesterday, we are starting to see this vulnerability

“Aurora” exploit code: from Targeted Attacks to Mass Infection.

Last Thursday, Microsoft released an out-of-band update to fix the latest vulnerability in Internet Explorer.  Since then, malware operators have been exploiting this vulnerability to install malware on thousands of PCs.  So far, we have detected more than 650 different versions of the exploit code which is detected as Trojan.JS/Exploit.CVE-2010-0249 by ESET antivirus.  We have

SEO Poisoning: What’s in the News Today?

Search engines are free, powerful and efficient tools. But the same tools can be used to exploit the unsuspecting visitor who trusts the search results. Malicious SEO (Search Engine Optimization) is one such tactic where criminals spread malware through infected websites and poisoned search results. (This is sometimes referred to as index hijacking or SEO

More Infections = A Lot More Malware

To get a better understanding of infection trends over the last few months, the ESET research team has analyzed data compiled by our online scanner. This tool is available freely from ESET’s website at http://www.esetonlinescan.com and can be accessed by anyone to scan their system without having to install our product. Data from our online

Waledac is Back!

The Waledac botnet has been activated and it is now sending spam promoting videos of Independence Day, even if we are only July 3rd. They are using multiple web pages with titles like “Fourth of July Fireworks Shows”. Users wishing to view the video are asked to click an image that returns an executable and

Beware of Independence Day Scams

Researchers at ESET have reliable intelligence that the Waledac botnet is currently being prepared for a spam campaign around the Independence Day theme. They have registered at least 18 domain names all related to the theme of video, fireworks, and Independence Day. The criminals behind Waledac are preparing to start sending spam with links to

Everybody loves Facebook

Facebook has been around for years and it has constantly been gaining in popularity.  Part of the reason for this social network site’s success is that it represents a gold mine of information for employers, marketers, journalists, and, of course, cyber criminals.  There are plenty of examples of phishing attacks and other scams on this

Smaller Conferences are the Best

In the security community, the beginning of the summer is the time of the year when most conferences are held.  In the last couple of days, there has been the CARO workshop, the AMTSO meeting and the EICAR conference.  Numerous ESET employees have attended each of these gatherings.  In my opinion, the best event so

Another Big Botnet

There is some chatter about a news item that has been released by Finjan in a blog post this morning.  The news has been picked up by Computer Weekly and USA Today. The un-named bot involved in this story is detected by ESET as Win32/Hexzone.AP.  It is a typical Trojan that reports to a command

Win32/Waledac for Valentine’s Day

As Valentine’s Day is approaching the criminals behind Win32/Waledac have increased their activity. The Valentine campaign started some time ago but the interesting part is only starting for us.  The Waledac botnet has been using fast flux for some time now.  This means that the IP addresses of the websites used to distribute this malware

Malware Trying to Avoid Some Countries

There are different techniques that can be used by a program to identify in which country it has been installed.  It can check for time zone information, public IP addresses or even domain names.  Lately, we have seen two different malware families trying to discover their geographic location in an effort to avoid infecting PCs

Fake Holiday eCards: Are You Surprised?

Yesterday, we started to receive reports of emails pretending to carry links to holiday cards.  These emails contain a link that points to a file named ecard.exe.  Of course, this executable is not a seasonal holiday card but malware.  The reason this wave of malware has attracted our attention is that it is very similar

From Fake to Subtle

After seeing so many fake antivirus programs lately, it is interesting to take a look at other types of threats.  Yesterday, we received an example of malware that tries to be very subtle about its installation process.  The malware spreads through email.  After infecting a computer, it will monitor the mailbox of its victim and

A Closer Look at Gimmiv.A

As stated previously by Randy, a new vulnerability affecting the Windows operating system from Microsoft has recently been discovered and has been patched Yesterday by an out of cycle patch.  This vulnerability has been exploited by attackers to install a trojan horse on victim computers.  The name of this trojan is Gimmiv.A.  This blog post

Wave of Malicious PDFs

For the last couple of weeks, we have been seeing a wave of malicious PDFs crafted to exploit security flaws in PDF reader software.  For the last two weeks alone, we have detected more than 25 000 attacks involving this type of file.  Attackers are exploiting two different vulnerabilities in Adobe Acrobat Reader to execute

A Deeper Look at Win32/Inject.NBL

Late Monday, we received samples of a malware that spreads through instant messaging.  Detection was quickly added for this threat and David gave a nice summary of the events in a blog post. When analyzing this binary, we found out that Win32/Inject.NBL has a couple of interesting characteristics.  First of all, we were able to

Beware of Fake Invoices

Over the last two weeks, we have seen an increase of fake e-mails pretending to contain invoices for various companies including UPS, Fedex and airlines from around the globe.  Subject of such e-mails include “Fedex tracking number 1234567890” or “E-ticket #1234567890”.  The body of the e-mail states that the recipient’s credit card has been charged

Analysis of some Mobile Malware

With the release of ESET’s Mobile Antivirus, a security solution for smart phones, I started asking myself about mobile threats. While there is not as much malicious software attacking mobile platforms as exists in the desktop world, I was able to find some interesting samples to analyze. The following is an analysis of the WinCE/Brador.A

Rustock.C – kernel mode protector (short analysis)

In the past few weeks there have been many rumors about Rustock.C: many people have talked how hard it is to process, and many people have also complained about the uselessness of a replicant sample made publicly available (MD5 00430470e6754f082b6c2c19d022caea). Actually, I can definitely say that this sample is… very useful. With deep analysis we

Malware Affiliation Programs

If you are a frequent reader of this blog, it is not news to you that malware authors are moving away from a quest for fame toward profit driven operations. Malware authors and controllers are moving to a free market organization where each group has a very precise area of expertise and “outsource” other tasks

Nuwar Shifts to Fake Codecs

It has only been a day since the last strategy shift from the Nuwar gang and they have already gone away from the love letter theme.  By monitoring computers infected with Nuwar, we can keep track of their social engineering schemes.  They are now using a common theme used by the Zlob threat for a

Nuwar on Blogspot

Since Yesterday evening, the gang behind Nuwar (also called the Storm Worm), have registered a number of blogspot accounts to spread their malware. Clicking on an image will redirect the browser to an executable called love.exe while clicking on the link in the text below the image will download a file named withlove.exe. Both executables