Michal Krejdl

Michal Krejdl

10 May 2016

Andromeda distributors craft new strategies for attacks

Most of popular botnet Andromeda’s (also known as Gamarue) distribution channels have been discovered and analyzed by antivirus vendors. This has forced Andromeda’s distributors to come up with a new attack strategy to continue to drop Andromeda binaries onto PCs.

Meanwhile at the Andromeda headquarters…

Operator: “Captain, all of our distribution channels have been discovered!”

Captain: “Report the loss..”

Operator: “Email scams, exploit kits, everything is known to the public.”

Captain: “Operator, let’s start with plan N!”

Operator: “Roger that, captain”

Before we dive into Andromeda’s new tactic, I’d recommend you to read this article by fellow security researchers from Stormshield, which describes one of Andromeda’s most recent phishing campaigns. We have observed similar Andromeda email phishing campaigns. Most of the emails we have seen seem to be targeting Germans and Italians. However, these two target groups seem to be too clever to fall for the bait, as they are not the top infected users.

Some of the popular subject lines used to target Germans and Italians are “Your current bill” and “A nude photo of you has appeared on the Internet”.

andmail.png

Read More

Security News

Michal Krejdl

16 February 2016

In search of the perfect instruction

Knowing the language of common microprocessors is essential for the work of virus analysts across the AV industry.

Each program you run - clean, malicious, no matter - is actually a set of commands (called instructions) specific for particular processors. These instructions can be very simple, e.g. addition of two numbers, but we can see very complex cryptographic functions as well.

As the processor architecture evolves in time, it becomes more and more complicated and understanding or decoding the language is more difficult. It (hypothetically) does not have to be like this, but there's a hell called backward compatibility.

proc_comic

Read More

Threat Research, Security News

Michal Krejdl

29 April 2013

High profile site scares users

We come across a plenty of malware reports every day. Sometimes we have to deal with some special cases, where a respected vendor is involved. This time it was the Dell driver download site.

Download site Download site

Read More

Threat Research, Security News

Michal Krejdl

13 February 2013

Avast antivirus 2012 trial? No, just a scam

I don't know what kind of curiosity leads people to the dark corners of the internet, when they want to obtain a new version of antivirus software. It's somehow irrational to find security software at insecure places. But.... it happens.

FP submission FP submission

As you can see, the file name is Avast_Antivirus_2012_Trial_Verion.exe - but it is definitely not a proper setup released by us. Here are some facts, that are worth remembering:

Read More

Threat Research, Security News

Michal Krejdl

26 November 2012

Sality: A Nasty Binary Tracked Down from Download.com

What a weird positive we've just spotted on CNET's Download.com...

Win32:SaliCode blocked
Read More

Threat Research, Security News

Michal Krejdl

6 September 2012

LookMyPC or InfectMyPC?

For those, who remember my article about the "immortal" virus: here's a proof. LookMyPC is a software for remote support and similar tasks. It has an official web page with downloads, which is unfortunately a place, where you can meet Win32:Parite virus.

Parite is still with us
Read More

Threat Research, Security News

Michal Krejdl

11 May 2012

Deeper and deeper

Don't worry, we're not gonna watch movies marked with an asterisk :P. However, from the malware analyst's point of view, following lines might be somehow "spicy". We'll take a look at a suspected false positive promoted as a regular GameMaster setup. The file appeared in our FP submission system with an usual comment "it's clean" or something like that, thus we can only guess that the file has not been obtained from official source.

Read More

Threat Research, Security News

Michal Krejdl

6 April 2012

Lazy Friday? Maybe next time

Some of you may think that Friday (especially the afternoon) is an informal prequel to the weekend relaxation. As such, it should be devoted to putting legs high up on the desk and drinking long drinks from a glass with a little umbrella. You know, no one wants to make some last-minute embroilment. But unfortunately, malware seems to never sleep. Due to that, Friday can provide us with interesting revelations.

Read More

Threat Research, Security News

Michal Krejdl

29 January 2012

Unexpected Czech footprint

I've already seen many strange things inside malware packers, but there's always something surprising. The latest time, it was during the analysis of packer used to wrap Zbot, LockScreen and similar binaries (detected under various MalOb-* [Cryp] names). There's a block of allocated memory with a long list of names. But these names are not used for anything related to malware execution, they're not visible to the user (unless you emulate/trace the sample), they have no special purpose. But why they are there? And where's the Czech footprint?

Read More

Threat Research, Security News

Michal Krejdl

14 October 2011

Communicative malware writers

Do you remember Mystic compressor and its "shouts" to the world, especially to Sunbelt guys? I hope so, but just in case - here's one screenshot:

And now we've got a kind of response also from Morphex authors :-)

Read More

Threat Research, Security News