When ELF.BillGates met Windows

If you are used to play with honeypots, you have inevitably met the ELF.BillGates malware. It is a known[1] botnet spread over Internet for 4 years. In a nutshell, ELF.BillGates is a (Chinese) DDOS botnet with backdooring features. It is a binary file with many behaviors depending on the installation path[2]: Gate 0: Infection Monitor... Continue Reading →

Warbird Operation

Introduction Some time ago while working on Windows 8, we came across a rather unusual piece of disassembly in some Microsoft binary files. This post describes some of our findings and how they are related to a Windows internal project called Warbird Warbird is an enhancement of the license verification of Windows that is introduced... Continue Reading →

Poweliks – Command Line Confusion

Recently, hFireF0X provided a detailed walkthrough on the reverse engineering forum kernelmode.info about Win32/Poweliks malware. The particularity of this malware is that it resides in the Windows registry and uses rundll32.exe to execute JavaScript code. I found it funny that we can execute some JavaScript through Rundll32 and obviously I was not the only one.... Continue Reading →

Win32/Atrax.A

Atrax is a malware discovered during the summer of 2013. It includes some basic features like distributed denial-of-service, keylogging, the ability to steal banking credentials, to send spam or to install a Bitcoin miner for crafting bitcoin money. The particularity of Atrax is that it communicates with command and control server over TOR, which is... Continue Reading →

Weekly Cybernote #10

For this edition of the Weekly Cybernote, first of all, we will touch on Project Zero, the elite crack team set up by Google to fight zero-day attacks. We will then discuss an attack identified in China that apparently targeted databases of state employees living in the US. Lastly, we will look at how the... Continue Reading →

Weekly Cybernote #9

For this 9th edition of our Weekly Cybernote, we will as usual cover three topics. The first concerns the new banking malware Dyreza, while the second will be about how YouTube is used by hackers to sell credit card numbers. Lastly, the third point revisits an old story about Nokia, who allegedly gave in to... Continue Reading →

Blog at WordPress.com.

Up ↑