Jean-Ian Boutin

Last month, we presented “The Evolution of Webinject” in Seattle at the 24th Virus Bulletin conference. This blog post will go over its key findings and provide links to the various material that has been released in the last few weeks.

iBanking is a malicious Android application that when installed on a mobile phone is able to spy on its user’s communications. This bot has many interesting phone-specific capabilities, including capturing incoming and outgoing SMS messages, redirecting incoming voice calls, and even capturing audio using the device’s microphone.

The first sign we saw of this malware was in mid-May 2013, but it is still very active, and uses Android to bypass two-factor authentication systems. It clearly seeks to infect Dutch computers - 75% of detections come from this region.

We have already discussed how a system gets infected with Win32/Nymaim ransomware. In this blog post, we reveal a new infection vector, a study of the different international locker designs and ransom prices as well as a complete technical analysis of its communication protocol.

We look at malware delivered by a campaign that has infected thousands of websites around the world - and the various control flow obfuscation techniques that make its analysis as interesting as it is challenging.

In our previous post on Operation Hangover, we revealed the existence of an attack group, apparently operating from within India, who were mainly targeting systems in Pakistan. In this post, we will analyze the Mac OS X samples that have been linked to this group and will provide new evidence that the Mac and Windows spywares are related.

Detailed analysis of a targeted campaign that tries to steal sensitive information from different organizations throughout the world, but particularly in Pakistan.

Here's a brazen fake antivirus program that falsely declares you are infected, then locks your screen and asks you call a toll free number for Support, which then asks you to pay to remove the fake infection.

Technical analysis of malware that abuses code signing certificates normally used to positively identify a software publisher and to guarantee code is unchanged.