Quantcast
Channel: A blog about rootkits research and the Windows kernel
Browsing all 58 articles
Browse latest View live

Image may be NSFW.
Clik here to view.

Guntior - detailed analysis of the Chinese bootkit

Original dropper that contains bootkit dropper:SHA1: e83ca87a39a5f15ca5942fd57d78e790861c2937MD5:  15e692cf34a70fb364591622bff1e43aFile size: 86027 bytesThis original dropper extracts bootkit dropper...

View Article


Image may be NSFW.
Clik here to view.

Investigation an interesting kernel mode stealer

About two weeks ago my friend R136a1 from kernelmode forum came across with dropper that installs driver in the system. We decide make research of them, and it was not a mistake of starting it...

View Article


Image may be NSFW.
Clik here to view.

OnlineGameHack - analysis of the Korean games grabber and AV-killer

Dropper was captured about 3 weeks ago with help of VX Vault.Hash:SHA1: 53b1ce48f2b0cf3c7028184676be7b21485bd45aMD5: ab551ebc28e4cbcdcb44b1175e14038bFile size: 39936 bytesThreat consists of three...

View Article

Image may be NSFW.
Clik here to view.

artemonsecurity.com is out

Including:- PoCs- Tools- Reseacheshttp://artemonsecurity.com

View Article

Image may be NSFW.
Clik here to view.

TDI - a new element in old tdss story

According to Microsoft new version of Alureon (well known as tdss) was discovered in August. It's Trojan:Win32/Alureon.FV [dropper] -...

View Article


Image may be NSFW.
Clik here to view.

Analysis of VirTool:WinNT/Exforel.A rootkit

A few days ago guys from MMPC reported about rootkit [backdoor] called VirTool:WinNT/Exforel.A....

View Article

Image may be NSFW.
Clik here to view.

Zegost - analysis of the Chinese backdoor

Interesting features:- Rootkit on board;- Dropped driver has ~100MB size on disk;- Contains AVKill code;- Injected DLL as a payload.Original dropper...

View Article

Image may be NSFW.
Clik here to view.

Necurs rootkit under microscope

Okay, we already know about Necurs, just remind it interesting features:Highly difficult in terms of removal from infected system;Targeted to blocking drivers around 30 AV products [and 130 drivers in...

View Article


Image may be NSFW.
Clik here to view.

Sality rootkit analysis

Sality is a well known family of file-infectors (or PE-infectors or just a viruses). And as malware it has a very long story of evolution since 2003. Latest it versions contain rootkit on board to...

View Article


Image may be NSFW.
Clik here to view.

Xpiro 64-bit analysis

[originally was posted on welivesecurity as my work with ESET Research team, 30 JUL 2013,...

View Article

Image may be NSFW.
Clik here to view.

Клиент ISA Server 2006 очевидный Security Feature Bypass

ISA Server 2006 до сих пор является популярным в использовании в сети. Последний клиент для десктоп может быть установлен отсюда x32/x64 http://www.microsoft.com/ru-ru/download/details.aspx?id=10193...

View Article

Windows exploitation in 2014

New version of annual report about Windows exploitation & mitigation vectors is out:Vulnerabilities discovered and patched in Microsoft Windows and Office.Statistics about patched vulnerabilities...

View Article

Windows exploitation in 2015

"Windows exploitation in 2015" is out. New version contains information about Google Chrome security features, EMET, Hacking Team exploits, and Windows vulnerabilities.Press releaseESET Examines...

View Article


My opinions in media

E2EE in modern messengers: [15.07.16] [Geekbrains] [RU] linkMessengers security, E2EE: [28.06.16] [Gazeta.RU] [RU] linkNemucod + TeslaCrypt campaign: [22.03.16] [Gizmodo India] [ENG] linkApple v FBI...

View Article

Image may be NSFW.
Clik here to view.

Remsec driver analysis

Remsec or Cremes malware already was perfectly described by Kaspersky in their report. Symantec also did a blog post about it. This sophisticated malware toolkit refers to so-called state-sponsored...

View Article


Image may be NSFW.
Clik here to view.

Remsec driver analysis - Part 2

In previous blog post I've described 32-bit driver that has been used by attackers who are behind Strider cybergroup. I also pointed that from my point of view the driver was developed by skilled guys,...

View Article

Image may be NSFW.
Clik here to view.

Remsec driver analysis - Part 3

In two previous blog posts I've described 32-bit plugin that was mentioned by Kaspersky in their technical analysis. The plugin is called kgate and it has some interesting features, including,...

View Article


Image may be NSFW.
Clik here to view.

Remsec driver analysis - Agnitum driver exploitation

In previous three parts of "Remsec driver analysis" research I've tried to show, how Remsec (aka Cremes) Ring 0 code works and how it is loaded into a system. We already know that attackers were...

View Article

Image may be NSFW.
Clik here to view.

A note about Sednit rootkit

Sednit cyberespionage group is already a well-known for AVers & security community. It is also known as APT28, Fancy Bear, Pawn Storm, Sofacy. Wide range of various researches show for us that this...

View Article

Image may be NSFW.
Clik here to view.

Windows exploitation in 2016

"Windows exploitation in 2016" is out......

View Article
Browsing all 58 articles
Browse latest View live