David Harley
Senior Research Fellow[Some interesting research reported by Aleksandr Matrosov]
[Update: minor edits to graphics]
[Update 2: two additional FTP server graphics added at the end.]
Not long ago we received interesting information from an independent security researcher from Russia, Vladimir Kropotov. (We will be presenting our joint research with him at CARO 2012.) We started to research this information and … Read More…
[Update: there is now a well-considered response from Avast! on its blog here.]
There's a blog article I've been wanting to write for a few days, but haven't so far been able to make time for. However, Martijn Grooten drew my attention to a blog on much the same topic from our friends at Avast! and … Read More…
Here's a quick summary of the PREFETCH and INF ploys I mentioned in a separate blog here. These are alternatives (or supplements) used by support scammers from India to the Event Viewer and ASSOC/CLSID ploys also used to "prove" to a victim that their system is infected with malware or has other security/integrity problems.
The "Prefetch" command shows the … Read More…
Our colleagues at ESET UK drew my attention to another article on the resurrection of the Kelihos botnet (Win32/Kelihos). The article is based on the abuse.ch analysis of a particular sample. The analysis is interesting and well executed, but the reappearance of Kelihos isn’t exactly hot off the press: there were several reports to that … Read More…
It was back in the 1990s when someone told me that operating systems like Windows NT were getting so safe that AV would soon be out of business. And I hear on a regular basis that AV is so ineffective it's not worth having. Because I get some of my income from the anti-virus industry, … Read More…
[More research from our colleagues in Russia]
In the beginning of February we found a new modification of our “old friend” Win32/Rovnix (the dropper detected as Win32/Rovnix.B trojan), which is the first bootkit using VBR (Volume Boot Record) infection. An interesting fact is that Rovnix bootkit components were used in Win32/Carberp, the most widely spread banking … Read More…
Here are some further thoughts arising from the ACPO National Cyber Crime Conference held recently in the UK*.
DAC Janet Williams, ACPO’s e-Crime lead, summarized the current initiatives along these lines (apologies if I’ve introduced too many of my own preconceptions):
The UK intends to tackle cybercrime and make this one of the safest places to do … Read More…
I spent a couple of days last week at the National Cyber Crime Conference in Sheffield*, UK.
I was invited there to talk about those PC support scams that have been raising my blood pressure for a while. (That’s a topic I’ll be returning to sooner rather than later.) While I very much enjoyed the opportunity … Read More…
A few years ago, from time to time I used to visit the school where my wife taught IT, to talk to some of their students about IT security. In fact, we wrote a paper at that time(along with my good friend Eddy Willems), based on some research data we gathered between us in the … Read More…
Update: Mila's own blog on the topic is now available here. Other vendors may find the MD5 useful: A1B3E59AE17BA6F940AFAF86485E5907. However, Mila reports that detection of the sample is already improving.
Update 2: just to clarify, Aleksandr and Eugene should get the credit for the analysis, as is usual with our collaborations. I'm just the scribe/editor … Read More…
- David Harley (740)
- Randy Abrams (431)
- Cameron Camp (111)
- Stephen Cobb (62)
- ESET Research (56)
- Pierre-Marc Bureau (51)
- Aryeh Goretsky (31)
- Andrew Lee (15)
- Jeff Debrosse (12)
- Robert Lipovsky (12)
- Paul Laudanski (11)
- Sebastian Bortnik (8)
- Righard Zwienenberg (6)
- Dan Clark (6)
- Sébastien Duquette (5)
- Peter Stancik (4)
- Tasneem Patanwala (3)
- Alexis Dorais-Joncas (3)
- Aleksandr Matrosov (2)
RSS
