Olmasco bootkit: next circle of TDL4 evolution (or not?)
Analysis of the Olmasco bootkit: a TDL4 variation with an interesting approach to dropper technology
bootkit
Defeating anti‑forensics in contemporary complex threats
Alexandr Matrosov summarizes the evolution of complex threats using hidden storage, as discussed in his presentation with Eugene Rodionov at Virus Bulletin 2012.
A white paper: Windows 8’s Security Features
[NOTE: For the latest information about compatibility between ESET’s software and Windows 8, please see the following blog post: W8ing for V6: What ESET has in store for Windows 8 Users. (10/23/2012, 4:15PM)] Windows 8 will be available to the public in three weeks, and interest in the latest version of Microsoft’s flagship operating system
Mac OSX/iOS hacks at Blackhat – are scammers setting their sights?
For years scammers and hackers focused largely on Windows x86-based platforms, in many ways because that’s where the bulk of the users were. But times change, and new targets emerge. At Blackhat and Defcon last week we saw a flurry of talks on Mac OSX/iOS security, trying to illuminate possible chinks in the armor. From
Rakshasa hardware backdooring: the demon that can't be exorcized?
Jonathan Brossard describes an 'undetectable, unremovable' attack on firmware through gimmicked hardware or a subsequent malware attack. David Harley isn't convinced.
Rovnix.D: the code injection story
Detailed analysis of Rovnix.D reveal updates to the code injection technique employed, allowing multiple injections with a variety of payloads.
Rovnix bootkit framework updated
Changes in the threatscape as regards exploitation of 64-bit systems, exemplified by the latest modifications to the Rovnix bootkit.
ZeroAccess? Much too much access…
Why the ZeroAccess rootkit family modifications are important to the end user.
ZeroAccess: code injection chronicles
New versions of the Zeroaccess bootkit demonstrate alternative approaches to distribution and to bootkit infection on 32- and 64-bit Windows.
Rovnix Reloaded: new step of evolution
ESET is seeing a new step of evolution for the Rovnix bootkit family.
Facebook Fakebook: New Trends in Carberp Activity
Facebook fraud, Carberp, statistics and a DDoS plugin.
Bootkit Threat Evolution in 2011
ESET researchers examine the evolution of bootkit threats targeting 64-bit Windows over 2011.
A dozen predictions for 2012
While I share the reluctance of my colleagues to predict the future, I think there are some trends that can be classified as “reasonably likely to occur” in 2012. I make no promises, but here’s what I think we will see, in no particular order of importance or certainty. We will see increased interest in
Carberp + BlackHole = growing fraud incidents
This article examines the relationship between the Black Hole exploit kit and Win32/Carberp.
TDL4 rebooted
ESET researchers have noticed a new phase in the evolution of the TDL4 botnet.
New white paper & presentations, and an SC Mag article
A new conference paper, two conference presentations, and an article for SC Magazine.
Hasta La Vista, Bootkit: Exploiting the VBR
During the first half of 2011 we have witnessed a significant growth in malware targeting 64-bit platforms, the most interesting examples of which are bootkits.
TDSS and hacking the hackers
...Aleks and Eugene released a new version of the tool they developed in the course of their research into the TDL family...
TDL4: Beat‑root with Confidence
...Aleksandr Matrosov and Eugene Rodionov recently delivered a presentation on "Defeating x64: The Evolution of the TDL Rootkit" at Confidence 2011, in Krakow, and now available on our white papers page...
The co‑evolution of TDL4 to bypass the Windows OS Loader patch (KB2506014 )
Our colleagues Aleksandr Matrosov and Eugene Rodionov are tracking the evolution of TDL4 (also known as Win32/Olmarik). The following is a report on the latest TDL4 update, released last week. In our previous blog post, we described how the latest Microsoft Security Update modified the Windows OS loader (winloader.exe) to fix a vulnerability that allowed