The Win32/Gapz malware family was mentioned publicly for the first time in the middle of November 2012, by the Russian antivirus company Doctor Web (Trojan.Gapz.1 infecting Windows in a new manner). But I didn’t find the technical details about this threat in that report and so prepared a deeper analysis. Win32/Gapz uses many exploitation techniques … Read More…

I’ve already mentioned the Win32/Spy.Ranbyus family in my previous blog post about smartcard monitoring in modern banking malware (Smartcard vulnerabilities in modern banking malware). It displays really interesting functionality because it shows how it is possible to bypass payment transaction signing/authentication with smartcard devices. We have been tracking the latest modification to this malware family … Read More…

Introduction
Olmasco (also known as SST, MaxSS)  is a modification of the TDL4 bootkit family that we’ve been aware of since summer 2011. We started to track a new wave of activity from a new Olmasco dropper at the end of this summer. This bootkit family was the second to use VBR (Volume Boot Record) infection … Read More…

At the end of September at Virus Bulletin 2012 my colleague Eugene Rodionov and I presented the results of our research “Defeating anti-forensics in contemporary complex threats”, dealing with hidden file systems and modern complex threats. Hidden file systems are used by modern complex threats for evading detection by security and forensic software. We have … Read More…

From the very beginning of our analysis of Win32/Flamer it was clear that this was an extremely sophisticated piece of malware which we had never seen before. It implements extremely elaborate programming logic and has an intricate internal structure. At the heart of Flame’s modularity lies a carefully designed architecture allowing all its components interoperability … Read More…

In one of my previous blog posts I described the bootkit functionality included in modifications found in new Rovnix.D samples (Rovnix bootkit framework updated). However, further detailed analysis uncovered some interesting updates to the code injection technique employed. During the Rovnix.D code analysis process we found algorithms for multiple code injections with a range of … Read More…

The Flame worm (detected by ESET as Win32/Flamer) is one of the most interesting targeted threats of this year. Although several articles about it have been published, many of the facts about the internal structure of its main module (mssecmgr.ocx) have not been disclosed yet. In this blog post we want to shed light on … Read More…

We have been tracking the activity of the Rovnix bootkit family since April 2011. Rovnix was the first bootkit family to use VBR (Volume Boot Record) infection (NTFS bootstrap code) for loading unsigned kernel-mode drivers on x64 (64 bit) platforms. The reason for exploring further is the desire of the Rovnix developers to bypass antivirus … Read More…

In one of my previous posts I described how the CVE-2012-1889 vulnerability (CVE2012-1889: MSXML use-after-free vulnerability) works, but the Java exploitation process is too easy for the bad guys not to revisit it. The attacker does not have to think about problems with ASLR/DEP, SafeSEH and other security mechanisms included in the latest versions of Microsoft Windows. … Read More…

We have been tracking the Carberp cybercrime group’s activity for three years now. Tracking started in 2009 with the first samples of the Carberp malcious software seen in the wild. By the beginning of 2010 the second wave of Carberp activity had forced out other banking malware families (Win32/Spy.Shiz, Win32/Hodprot) in Russia. We summarized the … Read More…