ESET Threat Blog

Malicious software that gets updates from a domain belonging to the Eurasian state of Georgia? This unusual behavior caught the attention of an analyst in ESET's virus laboratory earlier this year, leading to further analysis which revealed an information stealing trojan being used to target Georgian nationals in particular. After further investigation, ESET researchers were … Read More…

Our colleagues at ESET UK drew my attention to another article on the resurrection of the Kelihos botnet (Win32/Kelihos).  The article is based on the abuse.ch analysis of a particular sample. The analysis is interesting and well executed, but the reappearance of Kelihos isn’t exactly hot off the press: there were several reports to that … Read More…

ESET had quite a strong representation at Virus Bulletin this year in Barcelona, as David Harley mentioned in his post prior to the conference.
On the first day, Pierre-Marc Bureau presented his findings about the Kelihos botnet, David Harley and AVG’s Larry Bridwell discussed the usefulness and present state of AV testing, and to finish the … Read More…

Well, nearly. And please forgive my uncharacteristic enthusiasm, but Virus Bulletin's annual conference is really one of the highlights of the year for the research community. Not only because of the quality of the event itself (which is very, very high!) but also because it's one of the few events that most of us manage … Read More…

[Updated. Twice. ]
'Tis the season to get ready for the autumn round of security conferences. For me, it starts at the beginning of September with a small but perfectly formed Forensics conference at Canterbury Christ Church University, in the UK, where I'll be presenting on "Man, Myth, Malware and Multiscanning" – a presentation I'm … Read More…

Our colleagues Aleksandr Matrosov and Eugene Rodionov are tracking the evolution of TDL4 (also known as Win32/Olmarik). The following is a report on the latest TDL4 update, released last week.
In our previous blog post, we described how the latest Microsoft Security Update modified the Windows OS loader (winloader.exe) to fix a vulnerability that allowed the … Read More…

My colleague Aleksandr Matrosov today received an interesting sample of TDL4 from another of my colleagues, Pierre-Marc Bureau: this sample downloads and install another malicious program, Win32/Glupteba.D. This was the first instance he’d come across of TDL4 used to install other malware, and here's his account of what he found.
A sample of Win32/Olmarik.AOV was obtained … Read More…

Pierre-Marc tells me that he has received two malware samples that grabbed his attention due to their resemblance to Storm/Waledac.  They use the same kind of distribution mechanism: that is, spam with links to a New Year eCard for New year with titles like "New Year Wishes!" and "You Received an Ecard."  The mail contains … Read More…

The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet
By Joan Calvet, Carlton R. Davis, José M. Fernandez, Jean-Yves Marion, Pier-Luc St-Onge, Wadie Guizani, Pierre-Marc Bureau, and Anil Somayaji
This paper, presented at the Annual Computer Security Applications Conference (2010), and to which ESET's Pierre-Marc Bureau was a contributor, discusses alternative approaches to … Read More…

Our own Pierre-Marc Bureau was heavily quoted in an article by Tom Simonite on the use by the École Polytechnique de Montreal (in collaboration with researchers from Nancy University, France, and Carlton University, Canada), of a cluster of servers used for an experiment with a live botnet.
The article refers to a recent paper on "The case … Read More…