Clik here to view.
NeXuS AKA Chronic IRC Bot
Introduction"NeXuS" is a new bot being sold on Hack Forums. The thread originally drew a lot of attention after the seller refused to reveal who coded it or prove that the code was not ripped. He even...
View ArticleAndromeda v2.4
InstallationOriginal ProcessRemote ProcessHookingCommunication & CommandsCommunication DownloadAdd PluginThe other ones Anti-Emulation/Anti-Debugging RDTSCHarddrive namesBlacklist Process...
View ArticleWebCrab
I just quickly dump some details.The injection and process enumeration is fairly standard and works on all OS. It checks whether a process has already been infected by creating a mutex with the name...
View ArticleBetaBot and the endless stream of misinformation
Introductionwell I've been planning to write a technical analysis of betabot for a while and I'm just about getting round to it. However as my part of this blog is supposed to be a comedy blog that...
View ArticleClik here to view.
Rise of the dual architecture usermode rootkit
A bit about past rootkitsIn the past it has been very common to see usermode rootkits that only attack one architecture, which has usually been 32-bit. A standard rootkit injects code into specific/all...
View ArticleCarberp source code, days away from full leak
Brief historyCarberp was a banking bot that first came up on researchers' radars in the last part of 2010. By the end of 2011 the bot had been spotted in the wild, testing with bootkit functionality....
View ArticleClik here to view.
Carberp source code now leaked
The BootpocalypseWhile security blogs are still flooding the internet with the old news of the carberp source going on sale for $50k, I'd like to take some time to give you some slightly more recent...
View ArticleClik here to view.
PowerLoader Injection - Something truly amazing
I'm not deadIt has been a while since i wrote an article (I've been pretty busy in real life), so I decided to get writing. This article will probably only make sense to people from a malware research...
View ArticleClik here to view.
Cybercrime - A Tale of Two Economies
Something DifferentCurrently I'm waiting for something before I put up my next malware article, so while I'm waiting I decided I'd write something a little different. Everywhere there are articles...
View ArticleClik here to view.
Personal Security - What Can Be Done?
IntroductionIt's no secret that keeping your computer free from malware has become much harder. I remember about 12 years ago my friend showing me a CD and announcing that it was an antivirus, which...
View ArticleClik here to view.
Win64/Vabushky - The Great Code Heist
IntroductionThis analysis is of a new winlocker dropper that was first seen in the wild last month, the binary is 64 bit, packed with MPRESS, and contains 3 local privilege escalation exploits...
View ArticleClik here to view.
Fighting Hooks With Hooks - Sandbox Escape
IntroductionI was pretty bored today and couldn't think of an article to write, decided I'd come up with an example of escaping a sandbox. Most sandboxes use hooks placed within user-mode dlls in order...
View ArticleClik here to view.
Ring3 / Ring0 Rootkit Hook Detection 1/2
IntroductionThe cybercrime underworld hasn't given me any exciting malware to reverse and I'm running out of ideas for new posts, so I'm going to do a 2 part article about the techniques used by...
View ArticleClik here to view.
Ring3 / Ring0 Rootkit Hook Detection 2/2
IntroductionThis article was actually planned to be posted the day after the first, however; I've not had much sleep the past few weeks, then I got sick, so it was very delayed. I'm pleased with how...
View ArticleClik here to view.
KINS Source Code Leaked
Much Ado About NothingToday the KINS source code was posted publicly after being sold to just about everyone and their dog. As expected it's just a Zeus modification containing code taken from various...
View ArticleClik here to view.
End of The Line for Solar Bot (Win32/Napolar)?
Solar BotSolar Bot is a new type of usermode rootkit that created much hype by being "the first of it's kind". The rootkit is able to inject and hook both 32-bit and 64-bit processes, making it...
View ArticleBotnet Takedowns - fun and good publicity, nothing more
TakedownsFor the past year or so the Khelios botnet has been in the news after constant attempts to take it down. recently the ZeroAccess botnet has also been subject to similar publicity, but what do...
View ArticleClik here to view.
MtGox Nearly Breaks Bitcoin...Again
Previous Incident In April 2013 large trading volume caused the MtGox trading engine to begin lagging. As soon as the trading engine lag started to build, traders panic sold due to the increasing risk...
View ArticlePortable Executable Injection For Beginners
Process InjectionProcess injection is an age old technique used by malware for 3 main reasons: Running without a process, placing user-mode hooks for a rootkit or formgrabber, and bypassing antivirus...
View ArticleSelfish Mining - How to make Yourself Broke
Selfish MiningSelfish Mining in short is theoretical concept in which a malicious pool of miners could gain a better income by deliberately forking the blockchain. If a mining pool were to not...
View Article