Clik here to view.
Rovnix new "evolution"
Rovnix is an advanced VBR (Volume Boot Record) rootkit best known for being the bootkit component of Carberp. The kit operates in kernel mode, uses a custom TCP/IP stack to bypass firewalls, and stores...
View ArticleClik here to view.
FBI Cybercrime Crackdown - Blackshades
It would seem the FBI is cracking down on cybercrime (well script-kiddies at least), with a bunch of international raids carried out in the past few days and more said to come. As of today it seems...
View ArticleClik here to view.
A few Reason for Maximum Password Length
A lot of people have recently been wondering the reason behind maximum password lengths, after it was revealed that eBay limited passwords to 20 characters. Many people see this as a security flaw (and...
View ArticleClik here to view.
Hacking Soraya Panel - Free Bot? Free Bots!
Some security agencies have been raving about a revolutionary new bot that combines point-of-sales card grabbing (ram scraping) with form grabbing. The bot is actually not very interesting and pretty...
View ArticleClik here to view.
Usermode System Call hooking - Betabot Style
This is literally the most requested article ever, I've had loads of people messaging me about this (after the Betabot malware made it famous). I had initially decided not to do an article about it,...
View ArticleClik here to view.
A Quick Updated
You've probably noticed there's been no articles in quite a while, part of this is due to a lack of interesting malware samples to look at, but It's mainly because I'm working on a new website. I've...
View ArticleClik here to view.
Astute Explorer (GCHQ Challenge 1 - 5)
GCHQ has been having trouble finding experienced hackers and programmers to work for them, so they've put out a lot of, admittedly fun, challenges. The idea is that people who do well in the online...
View ArticleClik here to view.
Astute Explorer (GCHQ Challenge 5 - 10)
Continuation for http://www.malwaretech.com/2014/09/astute-explorer-gchq-challenge-1-5.htmlVulnerabilityOn line 26 the function fails if exactly BLOCK_SIZE is not read, this means if there is data...
View ArticleClik here to view.
Usermode Sandboxing
A lot of people (including myself, until recently) think that effective sandboxing requires a filter driver or kernel hooking, but this is no longer the case. A new security feature introduced in...
View ArticleClik here to view.
New IRC Launch
For anyone still into IRC, MalwareTech has partnered with sigterm.no to launch a new IRC network. It's still fairly new so don't expect an instant response, but everyone is welcome (socializing or just...
View ArticleClik here to view.
Creating a Secure Tor Environment
As we all know there are ways that your real IP can be leaked when using tor (JavasScript, Flash, Malware and software errors). In this tutorial I'm going to show how to create a fairly secure tor...
View ArticleClik here to view.
Passive UAC Elevation
I had a cool idea for a way to get the user to passively elevate your application without socially engineering them to do so or requiring exploits. Obviously you could just go ahead and start mass...
View ArticleClik here to view.
How MS14-066 (Winshock) is More Serious Than First Though
If you've been in a coma for the past week, MS14-066 is a TLS heap overflow vulnerability in Microsoft's schannel.dll, which can result in denial of service and even remote code execution on windows...
View ArticleClik here to view.
MS14-066 In Depth Analysis
A few days ago I published an article detailing how a second bug, in the schannel TLS handshake handling, could allow an attacker to trigger the DecodeSigAndReverse heap overflow in an application that...
View ArticleClik here to view.
Fraudsters & Malware Sellers Still Shifting to the Deep Web
On November the 6th and 7th a global operation (dubbed Operation Onymous) was carried out against illegal (mostly black market) sites hosted on the tor network, as a result over 400 hidden service were...
View ArticleClik here to view.
Virtual File Systems for Beginners
A virtual File System (VFS), sometimes referred to as a Hidden File System, is a storage technique most commonly used by kernel mode malware, usually to store components outside of the existing...
View ArticleClik here to view.
Zombie Processes as a HIPS Bypass
A long long time ago (about 10 years in non-internet time) malware developers only had to worry about signature based detection, which could be easily bypasses with polymorphic droppers or executable...
View ArticleClik here to view.
Phase Bot - A Fileless Rootkit (Part 1)
Phase Bot is a fileless rootkit that went on sale during late October, the bot is fairly cheap ($200) and boasts features such as formgrabbing, ftp stealing, and of course the ability to run without a...
View ArticleClik here to view.
Phase Bot - A Fileless Rootkit (Part 2)
As I said in the last part of the analysis the sample I had was just a test binary, but now I have some real ones thanks to some help from @Xylit0l. The new binaries incorporate some much more...
View ArticleClik here to view.
OphionLocker: Proof Anyone Really Can Write Malware
OphionLocker is supposedly the new ransomware on the block and is already being compared with sophisticated operations such as CryptoLocker and CryptoWall, so i decided to take a look and what I found...
View Article
