Clik here to view.
Win64/Vabushky - The Great Code Heist
IntroductionThis analysis is of a new winlocker dropper that was first seen in the wild last month, the binary is 64 bit, packed with MPRESS, and contains 3 local privilege escalation exploits...
View ArticleClik here to view.
Fighting Hooks With Hooks - Sandbox Escape
IntroductionI was pretty bored today and couldn't think of an article to write, decided I'd come up with an example of escaping a sandbox. Most sandboxes use hooks placed within user-mode dlls in order...
View ArticleClik here to view.
Ring3 / Ring0 Rootkit Hook Detection 1/2
IntroductionThe cybercrime underworld hasn't given me any exciting malware to reverse and I'm running out of ideas for new posts, so I'm going to do a 2 part article about the techniques used by...
View ArticleClik here to view.
Ring3 / Ring0 Rootkit Hook Detection 2/2
IntroductionThis article was actually planned to be posted the day after the first, however; I've not had much sleep the past few weeks, then I got sick, so it was very delayed. I'm pleased with how...
View ArticleClik here to view.
KINS Source Code Leaked
Much Ado About NothingToday the KINS source code was posted publicly after being sold to just about everyone and their dog. As expected it's just a Zeus modification containing code taken from various...
View ArticleClik here to view.
End of The Line for Solar Bot (Win32/Napolar)?
Solar BotSolar Bot is a new type of usermode rootkit that created much hype by being "the first of it's kind". The rootkit is able to inject and hook both 32-bit and 64-bit processes, making it...
View ArticleBotnet Takedowns - fun and good publicity, nothing more
TakedownsFor the past year or so the Kelihos botnet has been in the news after constant attempts to take it down. recently the ZeroAccess botnet has also been subject to similar publicity, but what do...
View ArticleClik here to view.
MtGox Nearly Breaks Bitcoin...Again
Previous Incident In April 2013 large trading volume caused the MtGox trading engine to begin lagging. As soon as the trading engine lag started to build, traders panic sold due to the increasing risk...
View ArticlePortable Executable Injection For Beginners
Process InjectionProcess injection is an age old technique used by malware for 3 main reasons: Running without a process, placing user-mode hooks for a rootkit or formgrabber, and  bypassing antivirus...
View ArticleSelfish Mining - How to make Yourself Broke
Selfish MiningSelfish Mining in short is theoretical concept in which a malicious pool of miners could gain a better income by deliberately forking the blockchain. If a mining pool were to not...
View ArticleClik here to view.
Formgrabbers for Beginners
IntroductionFor a long time malware has targeted web data such as site logins. A malicious application could intercept socket functions within a web browser and scan for HTTP headers in order to...
View ArticleClik here to view.
Infamous Skynet Botnet Author Allegedly Arrested
On the 4th of December the German Federal Criminal Police Office (BKA) issued a press release stating they had arrested two suspects for computer crimes, with the support of GSG 9 (A German special...
View ArticleClik here to view.
Peer-to-Peer Botnets for Beginners
With all the hype about the ZeroAccess take-down, i decided it might be a nice idea to explain how peer to peer botnets work and how the are usually taken down.Traditional BotnetsA basic example of a...
View ArticleClik here to view.
2013 In Malware
As an end of year article, I though it might be a nice idea to review some of the interesting (to me) malware related events of this year. There's no specific order to the list, but I'll try to include...
View ArticleClik here to view.
The Centralization of Fraud
Everyone is aware of the dangers of credit/debit cards, right? You get infected with banking malware or you leave your wallet at the bar, next thing you know there are bills for things you don't...
View ArticleClik here to view.
Malware - A One Night Stand
Last night i had this idea that ransomware and other "stab you in the face then steal your wallet" types of malware are likely a result of the antivirus industry becoming better at dealing with...
View ArticleClik here to view.
Webinjects - The Basics
It's not uncommon for malware to use a technique known as formgrabbing; this is done by hooking browser functions responsible for encrypting and sending data to a webpage. By intercepting data before...
View ArticleClik here to view.
The 0x33 Segment Selector (Heavens Gate)
Since I posted the article about malware using the 0x33 segment selector to execute 64-bit code in an 32-bit (WOW64) Process, a few people have asked me how the segment selector actually works deep...
View ArticleClik here to view.
Zorenium - The Bot That Never Was
I was first made aware of Zorenium bot at the start of November last year by a friend on twitter (R136a1). There were no actual sales threads, just a discussion in IRC and a pastebin post detailing...
View ArticleClik here to view.
Coding Malware for Fun and Not for Profit (Because that would be illegal)
A while ago some of you may remember me saying that I was so bored of there being no decent malware to reverse, that I might as well write some. Well, I decided to give it a go and I've spent some of...
View Article