Apple Crumble?

I had an interesting query from Scientific American [unfortunately Larry Greenemeier’s blog at showing the main thrust of the discussion is no longer visible on the site – DH, 2017]. He asked, “Could Apple’s move to pull its security presentation from the Black Hat conference backfire on the company and make the company more of a target for

A Departure (sniffle)…

Alas, Andrew Lee, our beloved leader in the Research team, has left ESET for green fields and postures – er, pastures – new. He was last observed heading for the beach and muttering something about bikinis, but assures us that he isn’t leaving the antivirus industry. That’s certainly a good thing, as even before he joined

Stealth & Vulnerability

For many years, anti-malware industry developers and researchers have been waging a bitter war against malware writers. Even if the objectives of the malware writers have radically changed from fun to profit, the arms race has always continued. Malware writers are constantly trying to create programs that will evade antivirus detection. On the other side

Farewell Angelina

Kurt Wismer (whose blog at is well worth tracking, by the way) responded to my “Giving Old Viruses the Boot” blog as follows (I’ve only just seen it, hence my re-opening the topic as a fresh blog, rather than as another response to the original blog): kurt wismer Says: June 20th, 2008 at 11:39

Giving Old Viruses the Boot

Further to my recent post on the venerable (but still out there) Slammer worm, we were asked recently about a real old-timer, a boot-sector infector called Stoned.Angelina. (Oddly enough, I think this was the last BSI reported to me when I was still doing occasional 2nd-line AV support earlier in this decade.) How could such an elderly

Analysis of some Mobile Malware

With the release of ESET’s Mobile Antivirus, a security solution for smart phones, I started asking myself about mobile threats. While there is not as much malicious software attacking mobile platforms as exists in the desktop world, I was able to find some interesting samples to analyze. The following is an analysis of the WinCE/Brador.A

What the Helkern is that?

In my copious free time, I sometimes answer questions on security issues on one of those “Ask the Experts”  pages. It sometimes feels a bit like stepping into a not-quite-parallel universe, where it’s still 2002-3: a strangely high proportion of those queries are about Helkern (the worm most us know as Slammer or SQL Slammer,

Rustock.C – kernel mode protector (short analysis)

In the past few weeks there have been many rumors about Rustock.C: many people have talked how hard it is to process, and many people have also complained about the uselessness of a replicant sample made publicly available (MD5 00430470e6754f082b6c2c19d022caea). Actually, I can definitely say that this sample is… very useful. With deep analysis we


I run (in my copious free time) a page called Mac Virus that I inherited from Susan Lesch, who ran it as a comprehensive Mac antivirus resource. (That page has nothing to do with the later pages at or, by the way, which also refer to themselves as Mac Virus, and recently experienced infestation problems

50 VB100 Awards!

With the June Virus Bulletin test, ESET became the first antivirus company in the world to pass 50 tests for VB100 awards. As consumers I think you should know what the VB100 award means. First of all, a VB100 award does not mean that a product detects 100% of all viruses or malware. The VB

The AV Industry from the Outside In and the Inside Out

I have a rather unique perspective on the antivirus industry. I used to work for Microsoft before they were a competitor. Come on, you can’t call MSAV from DOS 6 an antivirus product :) For over seven years my job at Microsoft was to make sure that Microsoft did not release any infected software. All

The Race to Zero

The Race to Zero contest is being held during Defcon 16 at the Riviera Hotel in Las Vegas, 8-10 August 2008. The event involves contestants being given a sample set of viruses and malcode to modify and upload through the contest portal. The portal passes the modified samples through a number of antivirus engines and

Recreational Virus Writing

Greetings, my loyal readers. How are you both? Have you noticed that I’ve been uncharacteristically quiet for the past month or two? A combination of sheer overwork (are you listening, boss?), a much needed holiday, and some fairly serious surgery, has prevented me from sharing my prejudices with you. And look at all the things that have

Malware Affiliation Programs

If you are a frequent reader of this blog, it is not news to you that malware authors are moving away from a quest for fame toward profit driven operations. Malware authors and controllers are moving to a free market organization where each group has a very precise area of expertise and “outsource” other tasks

Nuwar Shifts to Fake Codecs

It has only been a day since the last strategy shift from the Nuwar gang and they have already gone away from the love letter theme.  By monitoring computers infected with Nuwar, we can keep track of their social engineering schemes.  They are now using a common theme used by the Zlob threat for a

Nuwar on Blogspot

Since Yesterday evening, the gang behind Nuwar (also called the Storm Worm), have registered a number of blogspot accounts to spread their malware. Clicking on an image will redirect the browser to an executable called love.exe while clicking on the link in the text below the image will download a file named withlove.exe. Both executables

April Storm!

The gang behind Storm missed Easter but they were not going to miss two opportunities in a row! We are witnessing a new Storm campaign around the theme of April Fool’s day. Electronic mails are being sent with titles like “Happy April Fool’s Day.”.The body of the message contains a small sentence and a link.

CanSecWest 2008

CanSecWest is already over!  This year’s conference was great.  There has been a good mix of talks touching various security related topics including hardware, software and humans. Tom Liston and Sherri Davidoff presented on memory forensics.  They demonstrated that inspecting the RAM of a computer after its reboot can yield a gold mine of information

Snopes hoax revisited.

I’ve already posted something about this chainletter, but figured it was worth expanding on which parts of it are useful and which aren’t. A friend who is a computer expert received the following directly from a system administrator for a corporate system. This kind of opening is characteristic of many hoaxes and urban legends (we

Nuwar Back to Electronic Cards

Another week, another scheme from the Nuwar gang.  We started receiving reports early this morning that new variants of Nuwar are being advertised through spam.  Some of the e-mail subjects include “Please open your ecard.” and “This ecard is hillarious!”.  The e-mail contains, as usual, a very simple text and a link to a host