ESET Threat Blog

ESET had quite a strong representation at Virus Bulletin this year in Barcelona, as David Harley mentioned in his post prior to the conference.
On the first day, Pierre-Marc Bureau presented his findings about the Kelihos botnet, David Harley and AVG’s Larry Bridwell discussed the usefulness and present state of AV testing, and to finish the … Read More…

Our colleagues Aleksandr Matrosov and Eugene Rodionov are tracking the evolution of TDL4 (also known as Win32/Olmarik). The following is a report on the latest TDL4 update, released last week.
In our previous blog post, we described how the latest Microsoft Security Update modified the Windows OS loader (winloader.exe) to fix a vulnerability that allowed the … Read More…

My colleague Aleksandr Matrosov today received an interesting sample of TDL4 from another of my colleagues, Pierre-Marc Bureau: this sample downloads and install another malicious program, Win32/Glupteba.D. This was the first instance he’d come across of TDL4 used to install other malware, and here's his account of what he found.
A sample of Win32/Olmarik.AOV was obtained … Read More…

Pierre-Marc tells me that he has received two malware samples that grabbed his attention due to their resemblance to Storm/Waledac.  They use the same kind of distribution mechanism: that is, spam with links to a New Year eCard for New year with titles like "New Year Wishes!" and "You Received an Ecard."  The mail contains … Read More…

The December ThreatSense report, being the last report of the year, is a little bigger than usual, and takes a longer view. It includes:

A feature article by Pierre-Marc Bureau and Alexis Dorais Joncas on the Bflient.K malware kit.
A feature article by Urban Schrott on "The Wikileaks Affair and the Cyberworld"
ESET researchers across the globe putting … Read More…

The case for in-the-lab botnet experimentation: creating and taking down a 3000-node botnet
By Joan Calvet, Carlton R. Davis, José M. Fernandez, Jean-Yves Marion, Pier-Luc St-Onge, Wadie Guizani, Pierre-Marc Bureau, and Anil Somayaji
This paper, presented at the Annual Computer Security Applications Conference (2010), and to which ESET's Pierre-Marc Bureau was a contributor, discusses alternative approaches to … Read More…

Our own Pierre-Marc Bureau was heavily quoted in an article by Tom Simonite on the use by the École Polytechnique de Montreal (in collaboration with researchers from Nancy University, France, and Carlton University, Canada), of a cluster of servers used for an experiment with a live botnet.
The article refers to a recent paper on "The case … Read More…

This weekend, an unnamed worm forced Microsoft to temporarily suspend active links  in Live Messenger 2009, in order to prevent the aggressive worm from spreading further. This is quite a surprising measure, because worms spreading through Instant Messaging (IM) such as Skype, Yahoo! Messenger and Microsoft Live Messenger are not new at all! For example, … Read More…

Our interim analysis of a version of the malware we detect as Java/Boonana.A or Win32/Boonana.A (depending on the particular component of this multi-binary attack) differs in some characteristics from other reports we've seen.
The most dramatic difference is in the social engineering hook used in messages sent to an infected user's friends list. Other reports (including … Read More…

1)
Another Virus Bulletin conference paper has just gone up on the ESET white papers page, by kind permission of the magazine.
Large-Scale Malware Experiments: Why, How, And So What? by Joan Calvet, Jose M. Fernandez, our own Pierre-Marc Bureau, and Jean-Yves Marion, discusses how they replicated a botnet for experimental purposes, and what use they made of … Read More…