ESET Threat Blog

This week we have detected another interesting attack vector. This time cybercriminals are using an interesting technique for hiding malicious Javascripts and employ implicit iFrame injection. At this moment we are tracking hundreds of infected legitimate web sites in the Russian internet segment using this technique of infection. Let’s analyze this attack method step by … Read More…

[Update: police have issued a video of the man they say ran the whole group.]
We've spent quite a lot of time on this blog in the last year or more discussing Win32/Carberp, which has also found its way into the occasional paper and presentation.
So it gave us particular pleasure to see that our friends at … Read More…

[More research from our colleagues in Russia]
In the beginning of February we found a new modification of our “old friend” Win32/Rovnix (the dropper detected as Win32/Rovnix.B trojan), which is the first bootkit using VBR (Volume Boot Record) infection. An interesting fact is that Rovnix bootkit components were used in Win32/Carberp, the most widely spread banking … Read More…

In recent years there has been a tremendous increase in the Russian region in the number of sites redirecting users to the Black Hole exploit kit. In most cases, successful exploitation of a vulnerability in client software leads to the installation onto the victim’s machine of either the trojan Win32/TrojanDownloader.Carberp or of Win32/Carberp (the version … Read More…

[More news from my colleagues in Russia on their analysis of an interesting item of bank-targeting malware.]
This month we discovered new information on a new modification in the Win32/TrojanDownloader.Carberp trojan family. This trojan is notorious as one of the most widely spread malicious programs in Russia, stealing money from remote banking systems and primarily targeting … Read More…

[In their presentation “Cybercrime in Russia: Trends and issues” at CARO2011 -- one of the best presentations of the workshop, in my unbiased opinion -- Robert Lipovsky, Aleksandr Matrosov and Dmitry Volkov mentioned the Win32/Hodprot malware family, which seems to be undergoing something of a resurgence. But why don’t I let them tell you ... Read More…

My Russian colleagues Aleksandr Matrosov and Eugene Rodionov report that recently a cybercrime group called “Ready to Ride” has attracted their attention, by distributing malware of the Win32/Cycbot family. This group started in the fall last year, judging from the domain name registration date – readytoride.su was registered on 8th September 2010.
Its primary activities were … Read More…

The TDSS botnet, now in its 4th generation, is seriously sophisticated malware, which is why we've spent so much time writing about it: the revision of the paper The Evolution of TDL: Conquering x64 that will be up on the white papers page shortly runs to 54 pages and includes some highly technical analysis, including the detail on … Read More…

If you've been following the research we've been publishing (spearheaded by my Russian colleagues Aleksandr Matrosov and Eugene Rodionov) you'll be aware that the TDL rootkit family doesn’t make use of OS’s own file system. Instead, it implements its own hidden storage for the payload, configuration files and so on. The hidden storage is located at the end … Read More…

It occurs to me that I haven't recently posted any pointers to our content on SC Magazine's Cybercrime Corner, and now might be a good time to recap on what Randy and I have been posting there this month (so far…)
Babushka* dollars
David Harley, May 19, 2011
It's not surprising, given how much cybercrime originates in Eastern … Read More…