Alex Matrosov

Modern malware is always evolving because malware authors are constantly finding new ways to bypass security and avoid detection. Defending against (and even discovering) the latest malicious software requires cunning and extensive expertise because attackers have become much more sophisticated ...

A comprehensive analysis of the latest member of the TDSS/Olmarik/Alureon family, which has learned some radical new tricks.

During a joint fraud investigation with Group-IB into a remote banking service, our colleagues in Russia analysed a number of samples passed on by the computer forensics experts at Group-IB. On the surface, what they were looking at was pretty much the standard: Zbot Trojan malware, which has been described many times, but they decided to probe a little further, and were rewarded by observing some rather unusual characteristics of the code in question, The Zeus botnet is interesting and highly… Show more

During a joint fraud investigation with Group-IB into a remote banking service, our colleagues in Russia analysed a number of samples passed on by the computer forensics experts at Group-IB. On the surface, what they were looking at was pretty much the standard: Zbot Trojan malware, which has been described many times, but they decided to probe a little further, and were rewarded by observing some rather unusual characteristics of the code in question, The Zeus botnet is interesting and highly adaptive malware with an unhealthy interest in various financial transactions carried out from an infected machine, such as online banking. Show less

During the course of their research into the TDSS rootkit, Aleksandr Matrosov and Eugene Rodionov developed a universal utility for dumping the rootkit’s hidden file system. Here they provide the details

This report is devoted to the analysis of the notorious Stuxnet worm (Win32/Stuxnet) that suddenly attracted the attention of virus researchers this summer. This report is primarily intended to describe targeted and semi-targeted attacks, and how they are implemented, focusing mainly on the most recent, namely Stuxnet. This attack is, however, compared to the Aurora attack, outlining the similarities and differences between the two attacks.
The paper is structured as follows. In the first… Show more

This report is devoted to the analysis of the notorious Stuxnet worm (Win32/Stuxnet) that suddenly attracted the attention of virus researchers this summer. This report is primarily intended to describe targeted and semi-targeted attacks, and how they are implemented, focusing mainly on the most recent, namely Stuxnet. This attack is, however, compared to the Aurora attack, outlining the similarities and differences between the two attacks.
The paper is structured as follows. In the first section we introduce the targeted attacks and their common characteristics and goals. In this section we present comparison of two attacks: Stuxnet vs.
Aurora. The second section contains some general information on SCADA (Supervisory Control And Data Acquisition) systems and PLCs (Programmable Logic Controllers) as Stuxnet’s primary targets of. The third section covers the distribution of the Stuxnet worm. Here we describe vulnerabilities that it exploits to infect the target machine. The next section describes the implementation of Stuxnet: user-mode and kernel-mode components, RPC Server and their interconnection. We also describe the remote communication protocol that it uses to communicate with the remote C&C. Show less

Subtitled "Account of an Investigation into a Cybercrime Group", this is a comprehensive consideration, by researchers with ESET’s in Russia, of the distribution and the internals of the TDL3 Rootkit, and the involvement of the Dogma Millions group.