Blog
Uncategorized

End of The Line for Solar Bot (Win32/Napolar)?

Solar Bot Solar Bot is a new type of usermode rootkit that created much hype by being “the first of it’s kind”. The rootkit is able to inject and hook both 32-bit and 64-bit processes, making it effective on 64-bit systems, which is uncommon for usermode rootkits. Solar bot makes …

Read More
Uncategorized
1

KINS Source Code Leaked

Much Ado About Nothing Today the KINS source code was posted publicly after being sold to just about everyone and their dog. As expected it’s just a Zeus modification containing code taken from various places (there is also evidence of the bootkit). As you can see in this image, there …

Read More
Uncategorized
4

Ring3 / Ring0 Rootkit Hook Detection 2/2

Introduction This article was actually planned to be posted the day after the first, however; I’ve not had much sleep the past few weeks, then I got sick, so it was very delayed. I’m pleased with how popular the previous article was, so in the future I plan to write …

Read More
Uncategorized
11

Ring3 / Ring0 Rootkit Hook Detection 1/2

Introduction The cybercrime underworld hasn’t given me any exciting malware to reverse and I’m running out of ideas for new posts, so I’m going to do a 2 part article about the techniques used by rootkits to intercept function calls, and how to detect them. The first part will explain …

Read More
Uncategorized

Fighting Hooks With Hooks – Sandbox Escape

Introduction I was pretty bored today and couldn’t think of an article to write, decided I’d come up with an example of escaping a sandbox. Most sandboxes use hooks placed within user-mode dlls in order to monitor process activity. If someone was able to remove or bypass these hooks, they …

Read More
Uncategorized

Win64/Vabushky – The Great Code Heist

Introduction This analysis is of a new winlocker dropper that was first seen in the wild last month, the binary is 64 bit, packed with MPRESS, and contains 3 local privilege escalation exploits (CVE-2013-3660, CVE-2012-1864, and CVE-2012-0217), as well as the PowerLoader injection method. 2 of the exploits and the …

Read More
Uncategorized
1

Personal Security – What Can Be Done?

Introduction It’s no secret that keeping your computer free from malware has become much harder. I remember about 12 years ago my friend showing me a CD and announcing that it was an antivirus, which would keep his computer free of all viruses. Back then having an antivirus would pretty …

Read More
Uncategorized
6

PowerLoader Injection – Something truly amazing

I’m not dead It has been a while since i wrote an article (I’ve been pretty busy in real life), so I decided to get writing. This article will probably only make sense to people from a malware research / programming background, but to compensate i will be posting a …

Read More
Uncategorized
10

Carberp source code now leaked

The Bootpocalypse While security blogs are still flooding the internet with the old news of the carberp source going on sale for $50k, I’d like to take some time to give you some slightly more recent news and a recap.  Towards the end of last month it became apparent to …

Read More
Uncategorized

Carberp source code, days away from full leak

Brief history Carberp was a banking bot that first came up on researchers’ radars in the last part of 2010. By the end of 2011 the bot had been spotted in the wild, testing with bootkit functionality. Come the end of 2012 the full kit, including the bootkit, were put …

Read More