ESET Threat Blog

ESET had quite a strong representation at Virus Bulletin this year in Barcelona, as David Harley mentioned in his post prior to the conference.
On the first day, Pierre-Marc Bureau presented his findings about the Kelihos botnet, David Harley and AVG’s Larry Bridwell discussed the usefulness and present state of AV testing, and to finish the … Read More…

Well, nearly. And please forgive my uncharacteristic enthusiasm, but Virus Bulletin's annual conference is really one of the highlights of the year for the research community. Not only because of the quality of the event itself (which is very, very high!) but also because it's one of the few events that most of us manage … Read More…

[Updated. Twice. ]
'Tis the season to get ready for the autumn round of security conferences. For me, it starts at the beginning of September with a small but perfectly formed Forensics conference at Canterbury Christ Church University, in the UK, where I'll be presenting on "Man, Myth, Malware and Multiscanning" – a presentation I'm … Read More…

Our colleagues Aleksandr Matrosov and Eugene Rodionov are tracking the evolution of TDL4 (also known as Win32/Olmarik). The following is a report on the latest TDL4 update, released last week.
In our previous blog post, we described how the latest Microsoft Security Update modified the Windows OS loader (winloader.exe) to fix a vulnerability that allowed the … Read More…

My colleague Aleksandr Matrosov today received an interesting sample of TDL4 from another of my colleagues, Pierre-Marc Bureau: this sample downloads and install another malicious program, Win32/Glupteba.D. This was the first instance he’d come across of TDL4 used to install other malware, and here's his account of what he found.
A sample of Win32/Olmarik.AOV was obtained … Read More…

Pierre-Marc tells me that he has received two malware samples that grabbed his attention due to their resemblance to Storm/Waledac.  They use the same kind of distribution mechanism: that is, spam with links to a New Year eCard for New year with titles like "New Year Wishes!" and "You Received an Ecard."  The mail contains … Read More…

The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet
By Joan Calvet, Carlton R. Davis, José M. Fernandez, Jean-Yves Marion, Pier-Luc St-Onge, Wadie Guizani, Pierre-Marc Bureau, and Anil Somayaji
This paper, presented at the Annual Computer Security Applications Conference (2010), and to which ESET's Pierre-Marc Bureau was a contributor, discusses alternative approaches to … Read More…

Our own Pierre-Marc Bureau was heavily quoted in an article by Tom Simonite on the use by the École Polytechnique de Montreal (in collaboration with researchers from Nancy University, France, and Carlton University, Canada), of a cluster of servers used for an experiment with a live botnet.
The article refers to a recent paper on "The case … Read More…

This weekend, an unnamed worm forced Microsoft to temporarily suspend active links  in Live Messenger 2009, in order to prevent the aggressive worm from spreading further. This is quite a surprising measure, because worms spreading through Instant Messaging (IM) such as Skype, Yahoo! Messenger and Microsoft Live Messenger are not new at all! For example, … Read More…

Our interim analysis of a version of the malware we detect as Java/Boonana.A or Win32/Boonana.A (depending on the particular component of this multi-binary attack) differs in some characteristics from other reports we've seen.
The most dramatic difference is in the social engineering hook used in messages sent to an infected user's friends list. Other reports (including … Read More…