RunPE: How to hide code behind a legit process 1

RunPE: How to hide code behind a legit process   Study of a hack used by malware to hide code inside a well know process.     Introduction   Disclaimer: This is not a tutorial to make a malware, but a practical case for educational purpose only. Anyway, this is […]

calc.exe strings appear in explorer.exe sections

(damballa.com)

Malware, viruses, what are they?

Malware, viruses, what are they?   General explanation about different kinds of online threats. What they do, and how.     Introduction   Viruses, malware, worms, adware, there are many different kinds of online threats. It can be confusing for one to understand the level of dangerousness of each, what […]


Of PUPs and other demons 1

Of PUPs and other demons   Story about a PUP using malware technology…     Introduction   What is a PUP? PUP means “Potentially Unwanted Program”. They are designated that way (or sometimes “Not-A-Malware”) because they are in theory not harmful for you, just annoying. A few examples: Zeus is […]

Capture5

Capture5

BHO: A spy in your browser 1

BHO: A spy in your browser   Or how Internet Explorer extensions can turn into a Spy.     Introduction   What is a BHO? A BHO (for Browser Helper Object) is a module (often a DLL) that acts as a plugin for either explorer.exe or Internet Explorer. Most of […]


Bootkit removal with RogueKiller 3

Bootkit removal with RogueKiller   How to remove Bootkits with RogueKiller     Description   Bootkits are rootkits infecting the Master Boot Record (MBR) or sometimes the Volume Boot Record (VBR) of a partition. Those rootkits take advantage of super early loading in the system to bypass antiviruses and hide […]

Boot process

Second stage payload in registry value

Gootkit/Xswkit removal with RogueKiller 1

Gootkit/Xswkit removal with RogueKiller   How to remove Gootkit variants (Xswkit) with RogueKiller     Little Analysis   Gootkit is a malware with trojan/backdoor features, and fileless behavior. The payload (malware file) is injected into several legit processes, and loaded at boot time by a RUN key calling the injector. […]


Zeus removal with RogueKiller 11

Zeus removal with RogueKiller   How to remove Zeus variants (Citadel) with RogueKiller     EDIT October,4th 2014   If the only process detected is your Antivirus, please ignore the detection.   We are working on this issue, which is not really a bug, but a problem of signature scanner […]

rk1