virus bulletin


VB 2016 Conference was held this year at the Hyatt Regency Hotel in Denver, CO, USA. This conference is an annual event where IT security researchers from around world gather to share their knowledge, learn, and discuss trends in the global threat landscape. This year we had the privilege to attend as well as meet, hang out with, and share ideas with some of the field’s top researchers. The conference scheduled a great lineup of speakers and presentations, so it was tough to pick which topic to attend. We are going to share some here some... [Read More]
by RSS Floser Bacurio Jr. and Rommel Joven  |  Oct 18, 2016  |  Filed in: Industry Trends & News
My personal favorite talk was on exploiting Pebble smartwatches ("Exploit Millions of Pebble Smartwatches for Fun and Profit" by Zhang and Wei). Our expectations are usually higher in one's own field of expertise, but this one is really great work. Pebble smartwatch talk at VB 2016 Basically, the authors found an inner assembly routine in Pebble's operating system which allows to elevate one's privileges. If you are familiar with ROP, this is a privilege elevation gadget. Normally, this routine is called by Pebble... [Read More]
by RSS Axelle Apvrille  |  Oct 14, 2016  |  Filed in: Industry Trends & News
VB 2016 Presentation – Oct 5-7, Denver When we first saw and analyzed Locky back in February, we immediately had a hunch that it was the work of seasoned criminals. The tell-tale signs were strong: massive spam runs were used to spread the ransomware, the malware used domain generation algorithm, the HTTP C2 communication was encrypted (the first version, that is), and the ransomware note was multilingual. The conclusion of our first Locky blog reads: “We also predict that Locky ransomware will be a major player in the ransomware... [Read More]
by RSS Floser Bacurio, Rommel Joven and Roland Dela Paz  |  Sep 30, 2016  |  Filed in: Security Research
Adaptive and comprehensive protection against an evolving threat landscape can be a complex discussion. When you add in layers of marketing hype, footnoted claims, and qualified conditions, then it’s not surprising to hear that customers get confused when it comes to choosing security for their business. If what a customer sees after deployment doesn’t measure up to the promises, that creates understandable trust issues and frustration for someone who thought they were buying a proven and reputable solution. Changes to network... [Read More]
by RSS John Maddison  |  Feb 29, 2016  |  Filed in: Industry Trends & News
BSides held its third annual conference in Vancouver, Canada. A successful event attended by local security researchers and whitehat hackers alike. A few delegates from other countries can also be seen hanging around. With lots of nice presentations loaded with mix topics as you will normally can see from other big conferences. Reversing Malware I personally have presented a talk about reverse engineering titled: “Malware Analysis in a Straightjacket”. I talked about some of varying techniques that the malware use in order to avoid... [Read More]
by RSS Raul Alvarez  |  Mar 26, 2015  |  Filed in: Security Research
[ This article originally appeared in Virus Bulletin ](http://www.virusbtn.com/virusbulletin/archive/2013/08/vb201308-Andromeda) Recently, we found a new version of the Andromeda bot in the wild. This version has strengthened its self-defense mechanisms by utilizing more anti-debug/anti-VM tricks than its predecessors. It also employs some novel methods for trying to keep its process hidden and running persistently. Moreover, its communication data structure and encryption scheme have changed, rendering the old Andromeda IPS/IDS signatures useless. In... [Read More]
by RSS Neo Tan  |  Apr 23, 2014  |  Filed in: Security Research
[ This article originally appeared in Virus Bulletin ](http://www.virusbtn.com/virusbulletin/archive/2013/05/vb201305-Andromeda-botnet) Andromeda is a modular bot. The original bot simply consists of a loader, which downloads modules and updates from its C&C server during execution. The loader has both anti-VM and anti-debug features. It will inject into trusted processes to hide itself and then delete the original bot. The bot hibernates for a long time (from several days to months) between communications with its C&C server. As a result,... [Read More]
by RSS He Xu  |  Apr 16, 2014  |  Filed in: Security Research
[ This article originally appeared in Virus Bulletin ]( https://www.virusbtn.com/virusbulletin/archive/2013/12/vb201312-KakaoTalk) The Android/FakeKakao trojan disguises itself as a KakaoTalk security plug-in as a means to lure users to install it. Once installed, it monitors incoming and outgoing SMS messages, sends SMS spam, gathers sensitive information and communicates with its remote server. Moreover, it incorporates anti-debugging and anti-emulator tricks and disables some security software. Unlike other malware, the trojan's DEX (Dalvik... [Read More]
by RSS Zhe Li  |  Feb 13, 2014  |  Filed in: Security Research
[ This article originally appeared in Virus Bulletin ](http://www.virusbtn.com/virusbulletin/archive/2013/11/vb201311-Neurevt) Neurevt (also known as Beta Bot) is an HTTP bot [1] which entered the underground market around March 2013 and which is priced relatively cheaply [2]. Though still in its testing phase, the bot already has a lot of functionalities along with an extendable and flexible infrastructure. Upon installation, the bot injects itself into almost all user processes to take over the whole system. Moreover, it utilizes a mechanism... [Read More]
by RSS Zhongchun Huo  |  Jan 29, 2014  |  Filed in: Security Research
[ This article originally appeared in Virus Bulletin ](http://www.virusbtn.com/virusbulletin/archive/2013/10/vb201310-Zeus)We have seen hundreds, if not thousands, of variations of Zeus in the wild. The main goal of the malware does not vary, yet different functionalities have been added to its different iterations over time. This article discusses some of Zbot's functionalities in detail, such as: dropping a copy of itself and its components using random fi lenames, generating the registry key and some of its mutexes, and injecting codes with... [Read More]
by RSS Raul Alvarez  |  Dec 09, 2013  |  Filed in: Industry Trends & News