code injection


Dofoil, also known as Smoke Loader, is a modularized botnet that has existed for a few years. Since 2013, we have not received any new variants of this bot and the command-and-control (C&C) servers of its previous variants are no longer accessible, making Dofoil seem like a dead botnet. In September 2014, however, we have received a brand new Dofoil variant that carries more features. This blog post will discuss our brief analysis of this new variant, which we are detecting as W32/Zurgop.BK!tr.dldr. New Dofoil? The previous Dofoil botnet... [Read More]
by RSS He Xu  |  Nov 12, 2014  |  Filed in: Security Research
Researchers recently discovered a new banking trojan that, like the recently fallen Zeus botnet, is also capable of bypassing the Secure Sockets Layer (SSL). Some speculation even suggests that this baddy is filling the empty shoes that Zeus has left behind. Let's take a closer look and figure out how to tell if you're infected. Banking URLs Within the malware code, a list of URLs for banking and other financial institutions can be found. Figure1 shows these strings in the memory. cashproonline.bankofamerica.com businessaccess.citibank.citigroup.com www.bankline.natwest.com www.bankline.rbs.com www.bankline.ulsterbank.ie cashproonline.bankofamerica.com businessaccess.citibank.citigroup.com c1shproonline.bankofamerica.com cashproonline.bankofamerica.com b1sinessaccess.citibank.citigroup.com www.b1nkline.natwest.com www.bankline.natwest.com www.b1nkline.rbs.com www.bankline.rbs.com www.b1nkline.ulsterbank.ie www.bankline.ulsterbank.ie Figure... [Read More]
by RSS Raul Alvarez  |  Jun 20, 2014  |  Filed in: Security Research
date: 2014-05-01 01:00:00 -0700 category: "Security Research" [ This article originally appeared in Virus Bulletin ](http://www.virusbtn.com/virusbulletin/archive/2014/02/vb201402-Sality) [ For Part 1 of this article Click Here ](http://blog.fortinet.com/Salted-Algorithm---Part-1/) Sality has been around for many years, yet it is still one of today's most prevalent pieces of malware. Last month, we described Sality's algorithm, showing the strengths of its encryption, how it uses the stack as temporary memory for code manipulation, and... [Read More]
by RSS Raul Alvarez  |  Jul 30, 2012  |  Filed in: Security Research
Recently, we stumbled upon a strange Javascript file; at first sight, it looked like a totally legitimate, clean file. The file name is jquery.js and has all the characteristics of a proper jquery file. Even the header was kept: /* * jQuery JavaScript Library v1.3.1 * http://jquery.com/ * * Copyright (c) 2009 John Resig * Dual licensed under the MIT and GPL licenses. * http://docs.jquery.com/License * * Date: 2009-01-21 20:42:16 -0500 (Wed, 21 Jan 2009) * Revision: 6158 */ jquery is a popular javascript library used as said on the homepage (http://jquery.com/)... [Read More]
by RSS David Maciejak  |  Apr 30, 2009  |  Filed in: Security Research