Malware Analysis

Usermode System Call hooking – Betabot Style

This is literally the most requested article ever, I’ve had loads of people messaging me about this (after the Betabot malware made it famous). I had initially decided not to do an article about it, because it was fairly undocumented and writing an article may have led to more people …

Malware Analysis

Rovnix new “evolution”

Rovnix is an advanced VBR (Volume Boot Record) rootkit best known for being the bootkit component of Carberp. The kit operates in kernel mode, uses a custom TCP/IP stack to bypass firewalls, and stores components on a virtual filesystem outside of the partition. Yesterday Microsoft posted an update explaining a …

Malware Analysis

PowerLoader Injection – Something truly amazing

I’m not dead It has been a while since i wrote an article (I’ve been pretty busy in real life), so I decided to get writing. This article will probably only make sense to people from a malware research / programming background, but to compensate i will be posting a …

Malware Analysis

Rise of the dual architecture usermode rootkit

A bit about past rootkits In the past it has been very common to see usermode rootkits that only attack one architecture, which has usually been 32-bit. A standard rootkit injects code into specific/all running processes in order to modify code inside them, this then allows it to hide itself …