Guntior - detailed analysis of the Chinese bootkit
Original dropper that contains bootkit dropper:SHA1: e83ca87a39a5f15ca5942fd57d78e790861c2937MD5: 15e692cf34a70fb364591622bff1e43aFile size: 86027 bytesThis original dropper extracts bootkit dropper...
View ArticleInvestigation an interesting kernel mode stealer
About two weeks ago my friend R136a1 from kernelmode forum came across with dropper that installs driver in the system. We decide make research of them, and it was not a mistake of starting it...
View ArticleOnlineGameHack - analysis of the Korean games grabber and AV-killer
Dropper was captured about 3 weeks ago with help of VX Vault.Hash:SHA1: 53b1ce48f2b0cf3c7028184676be7b21485bd45aMD5: ab551ebc28e4cbcdcb44b1175e14038bFile size: 39936 bytesThreat consists of three...
View Articleartemonsecurity.com is out
Including:- PoCs- Tools- Reseacheshttp://artemonsecurity.com
View ArticleTDI - a new element in old tdss story
According to Microsoft new version of Alureon (well known as tdss) was discovered in August. It's Trojan:Win32/Alureon.FV [dropper] -...
View ArticleAnalysis of VirTool:WinNT/Exforel.A rootkit
A few days ago guys from MMPC reported about rootkit [backdoor] called VirTool:WinNT/Exforel.A....
View ArticleZegost - analysis of the Chinese backdoor
Interesting features:- Rootkit on board;- Dropped driver has ~100MB size on disk;- Contains AVKill code;- Injected DLL as a payload.Original dropper...
View ArticleNecurs rootkit under microscope
Okay, we already know about Necurs, just remind it interesting features:Highly difficult in terms of removal from infected system;Targeted to blocking drivers around 30 AV products [and 130 drivers in...
View ArticleSality rootkit analysis
Sality is a well known family of file-infectors (or PE-infectors or just a viruses). And as malware it has a very long story of evolution since 2003. Latest it versions contain rootkit on board to...
View ArticleXpiro 64-bit analysis
[originally was posted on welivesecurity as my work with ESET Research team, 30 JUL 2013,...
View ArticleКлиент ISA Server 2006 очевидный Security Feature Bypass
ISA Server 2006 до сих пор является популярным в использовании в сети. Последний клиент для десктоп может быть установлен отсюда x32/x64 http://www.microsoft.com/ru-ru/download/details.aspx?id=10193...
View ArticleWindows exploitation in 2014
New version of annual report about Windows exploitation & mitigation vectors is out:Vulnerabilities discovered and patched in Microsoft Windows and Office.Statistics about patched vulnerabilities...
View ArticleWindows exploitation in 2015
"Windows exploitation in 2015" is out. New version contains information about Google Chrome security features, EMET, Hacking Team exploits, and Windows vulnerabilities.Press releaseESET Examines...
View ArticleMy opinions in media
E2EE in modern messengers: [15.07.16] [Geekbrains] [RU] linkMessengers security, E2EE: [28.06.16] [Gazeta.RU] [RU] linkNemucod + TeslaCrypt campaign: [22.03.16] [Gizmodo India] [ENG] linkApple v FBI...
View ArticleRemsec driver analysis
Remsec or Cremes malware already was perfectly described by Kaspersky in their report. Symantec also did a blog post about it. This sophisticated malware toolkit refers to so-called state-sponsored...
View ArticleRemsec driver analysis - Part 2
In previous blog post I've described 32-bit driver that has been used by attackers who are behind Strider cybergroup. I also pointed that from my point of view the driver was developed by skilled guys,...
View ArticleRemsec driver analysis - Part 3
In two previous blog posts I've described 32-bit plugin that was mentioned by Kaspersky in their technical analysis. The plugin is called kgate and it has some interesting features, including,...
View ArticleRemsec driver analysis - Agnitum driver exploitation
In previous three parts of "Remsec driver analysis" research I've tried to show, how Remsec (aka Cremes) Ring 0 code works and how it is loaded into a system. We already know that attackers were...
View ArticleA note about Sednit rootkit
Sednit cyberespionage group is already a well-known for AVers & security community. It is also known as APT28, Fancy Bear, Pawn Storm, Sofacy. Wide range of various researches show for us that this...
View Article