Olmasco bootkit: next circle of TDL4 evolution (or not?)
Analysis of the Olmasco bootkit: a TDL4 variation with an interesting approach to dropper technology
bootkit
Defeating anti-forensics in contemporary complex threats
Alexandr Matrosov summarizes the evolution of complex threats using hidden storage, as discussed in his presentation with Eugene Rodionov at Virus Bulletin 2012.
A white paper: Windows 8’s Security Features
[NOTE: For the latest information about compatibility between ESET’s software and Windows 8, please see the following blog post: W8ing for V6: What ESET has in store for Windows 8 Users. (10/23/2012, 4:15PM)] Windows 8 will be available to the public in three weeks, and interest in the latest version of Microsoft’s flagship operating system
Mac OSX/iOS hacks at Blackhat – are scammers setting their sights?
For years scammers and hackers focused largely on Windows x86-based platforms, in many ways because that’s where the bulk of the users were. But times change, and new targets emerge. At Blackhat and Defcon last week we saw a flurry of talks on Mac OSX/iOS security, trying to illuminate possible chinks in the armor. From
Rakshasa hardware backdooring: the demon that can't be exorcized?
Jonathan Brossard describes an 'undetectable, unremovable' attack on firmware through gimmicked hardware or a subsequent malware attack. David Harley isn't convinced.
Rovnix.D: the code injection story
Detailed analysis of Rovnix.D reveal updates to the code injection technique employed, allowing multiple injections with a variety of payloads.
Rovnix bootkit framework updated
Changes in the threatscape as regards exploitation of 64-bit systems, exemplified by the latest modifications to the Rovnix bootkit.
ZeroAccess? Much too much access…
Why the ZeroAccess rootkit family modifications are important to the end user.
ZeroAccess: code injection chronicles
New versions of the Zeroaccess bootkit demonstrate alternative approaches to distribution and to bootkit infection on 32- and 64-bit Windows.
Rovnix Reloaded: new step of evolution
ESET is seeing a new step of evolution for the Rovnix bootkit family.
Facebook Fakebook: New Trends in Carberp Activity
Facebook fraud, Carberp, statistics and a DDoS plugin.
Bootkit Threat Evolution in 2011
ESET researchers examine the evolution of bootkit threats targeting 64-bit Windows over 2011.
A dozen predictions for 2012
While I share the reluctance of my colleagues to predict the future, I think there are some trends that can be classified as “reasonably likely to occur” in 2012. I make no promises, but here’s what I think we will see, in no particular order of importance or certainty. We will see increased interest in
Carberp + BlackHole = growing fraud incidents
This article examines the relationship between the Black Hole exploit kit and Win32/Carberp.
TDL4 rebooted
ESET researchers have noticed a new phase in the evolution of the TDL4 botnet.
New white paper & presentations, and an SC Mag article
A new conference paper, two conference presentations, and an article for SC Magazine.
Hasta La Vista, Bootkit: Exploiting the VBR
During the first half of 2011 we have witnessed a significant growth in malware targeting 64-bit platforms, the most interesting examples of which are bootkits.
TDSS and hacking the hackers
...Aleks and Eugene released a new version of the tool they developed in the course of their research into the TDL family...
TDL4: Beat-root with Confidence
...Aleksandr Matrosov and Eugene Rodionov recently delivered a presentation on "Defeating x64: The Evolution of the TDL Rootkit" at Confidence 2011, in Krakow, and now available on our white papers page...
The co-evolution of TDL4 to bypass the Windows OS Loader patch (KB2506014 )
Our colleagues Aleksandr Matrosov and Eugene Rodionov are tracking the evolution of TDL4 (also known as Win32/Olmarik). The following is a report on the latest TDL4 update, released last week. In our previous blog post, we described how the latest Microsoft Security Update modified the Windows OS loader (winloader.exe) to fix a vulnerability that allowed