VB2014 (Virus Bulletin International Conference) - September 2014
Drive-by downloads served by exploit kits are currently one of the most prevalent malware distribution vectors. After BlackHole’s downfall (see SIRv15), the exploit kit landscape is more fragmented. We’ll discuss several prevalent exploit kits that have filled the gap, such as Neutrino, Fiesta, Nuclear Pack, Angler, and others.
This paper analyzes the technical details of exploits using CVE-2013-5330 and CVE-2014-0497. It unveils some interesting tricks used by these exploits to make the attacks more reliable and stealthy, such as improved leaked gadgets using a JIT spray technique. The malware components distributed by these exploits, namely Win32/Lurk and Win32/Siromost, will also be discussed.
CARO 2014 (8th International CARO workshop) - May 2014
Banking trojans have been around for years in the threat landscape. They are robust and are often updated to attack and infect the latest devices and mobile operating systems that users can access. These types of malware have been present in the desktop space for years now, but have managed to establish their presence in the mobile space to keep up with the ongoing demand for mobile banking. So, what is the next evolution in mobile banking malware?
AVAR 2013 (16th Association of Antivirus Asia Researchers International Conference) - December 2013
Our research into Zbot's (Citadel) components has resulted in better gathering of new and undetected samples, detection, and remediation of Zbot-based infections. We’ve also found ways to disrupt its money flow by analyzing its configuration file that led to the take-down of some of Zbot’s C&C servers and intercepted updated Zbot binary downloads. This paper discusses how we used a characteristic in Zbot’s installation method to identify unknown variants and newly compromised machines.
VB2013 (Virus Bulletin International Conference) - October 2013
Much has been written on the ethics and timing of vulnerability disclosure, but what about exploitation? When a vulnerability is being exploited in the wild, should the general public be informed immediately? This paper will highlight multiple scenarios, showing empirical data from real-world case studies that identify when disclosure can be helpful and when it can do harm.
Since the introduction of DEP (Data Execution Prevention) to block shellcode from execution, the use of ROP (Return-Oriented Programming) in exploits has increased over the past decade. ROP is an exploit technique that uses the mechanism of a calling convention to execute attacker-specified code locations that are linked as ROP chains. This paper will show how it is possible to detect these chains that are targeted towards various applications.
This paper analyses the malware infection rates of computers with various states of anti-malware protection. Specifically, it compares the infection rates of computers with no anti-malware protection, to those with anti-malware protection running with out-of-date signatures, to those with up-to-date anti-malware. The role of cloud-based protection is also evaluated.
Over the past year, in response to changing conditions in the wild, we've bolstered our approach to potentially unwanted software. The release of Defender in Windows 8 last year turned our research focus more closely towards consumers as the largest audience segment for our technology and protection. This led us to re-evaluate our approach, and further reflect on the values, expectations and experience of our users.
CARO 2013 (7th International CARO Workshop) – May 2013
Are you going to “Scarborough Fair”
Firewall and Network Address Translation (NAT) have been widely deployed and are commonly used by organizations as a part of their network infrastructure. In November 2012, we discovered a new mysterious breed of malware which has been used to target a global organization. This malware, named Exforel, has been designed to penetrate the firewall / NAT under certain circumstances.