A journey in the land of (Cyber-) espionage – stunning presentation by ESET researchers JoanCalvet, Jessy Campos and Thomas Dupuy.

A presentation by Jean-Ian Boutin, Anton Cherepanov and Jan Matušík, detailing Operation Buhtrap.

Nowadays, .NET samples are increasingly common, necessitating specialized techniques for processing and analysis, especially when obfuscation is used: .NET packers have many tricks up their sleeves, but fortunately we do too.

The Analysis of a Linux Router-based Worm Hungry for Social Networks

This paper, presented at the 2014 AVAR conference, looks at the difficulties  and possibilities of implementing cooperative initiatives for teaching computer hygiene in a complex 21^st century threatscape.

This paper, presented at Virus Bulletin 2014, shows how the bootkit threat has evolved over time and what further developments the future might bring, as well as some useful tools and mitigations.

This paper, presented at AVAR 2013, considers the myths about the capabilities of anti-malware technology and demonstrates that reports of its death have been greatly exaggerated.

A presentation from the CARO workshop in May 2013, looking at the technology that makes Win32/Gapz arguably the most complex bootkit to date.

Presented at the Virus Bulletin 2012 conference in September, this paper considers the pros and cons of the BYOD trend, potential attack vectors, and advice on countermeasures. First published in Virus Bulletin 2012 Conference Proceedings*

Presented at the Virus Bulletin 2012 conference in September, this paper introduces the main capabilities and features of Win32/Dorkbot and considers why and how Win32/Dorkbot’s activity in Latin America differs from the rest of the world. First published in Virus Bulletin 2012 Conference Proceedings*

A comprehensive analysis of the evolution of the Festi botnet, its features, its networking protocol, and the ways in which it tries to protect itself from detection. As presented at the AVAR 2102 conference in Hang Zhou.

Technical and in-depth analysis of the implementation of hidden encrypted storage, as used by complex threats currently in the wild including TDL4, Carberp and ZeroAccess. First published in Virus Bulletin 2012 Conference Proceedings*

Presented at the Cybercrime Forensics Education & Training Conference in September 2012, this paper looks at the support scam problem from a forensic point of view.

Presented at the Virus Bulletin 2012 conference in September, this is a comprehensive consideration of the ongoing evolution of the PC telephone support scam. First published in Virus Bulletin 2012 Conference Proceedings*

Presented at the EICAR 2012 conference in May, this paper considers common strategies for selecting four-digit passcodes, and the implications for end-user security. Originally published in the EICAR 2012 Conference Proceedings.

Presented at the EICAR 2012 conference in May, this paper looks at how the Anti-Malware Testing Standards Organization might yet retain enough credibility to achieve its original aims. Originally published in the EICAR 2012 Conference Proceedings.

The use and misuse of public multi-scanner web pages that check suspicious files for possible malicious content, and why they’re no substitute for comparative testing.
Presented at the 5th Cybercrime Forensics Education & Training (CFET 2011) Conference in September 2011

A paper describing the functionality and P2P protocol of Win32/Kelihos, its evolution and its points of similarity to Win32/Nuwar (Storm) and Win32/Waledac.
First published in Virus Bulletin 2011 Conference Proceedings*

Two years on from “Is there a lawyer in the lab”, greyware and Possibly Unwanted Applications offer serious challenges for security vendors.
First published in Virus Bulletin 2011 Conference Proceedings*