Posts tagged malware analysis

Facebook-spread Adobe Update Malware Dissected and Source Code Revealed

A week ago security researcher Dancho Danchev published an excellent post – Fake Adobe Flash Player Serving Campaign Utilizes Google Hosting/Redirection Infrastructure, Spreads Across Facebook

I was curious to learn more about this malware, so I ran the rogue binary (Adobe Flash Update titled FlashGuncelle.exe) through our Vinsula Execution Engine (VEE) to analyze its behavior, and I also delved into specific facets of its source code. (more…)

Scripting Bot Malware: No Need to Learn C to Launch a Cyber Attack

T wo weeks ago we came across a piece of malware that turned out to be a full-blown bot—one that is capable of taking full control over a user’s machine, and all encapsulated within less than 3K lines of source code!  What’s scary is that writing it required no special skills.  Access to some existing tools—and of course the desire to write malicious code—was all the author needed. (more…)

Vinsula Execution Engine Analysis of Venomous Snake Zero-Day Malware – CopyHook.131019.A

Malware authors frequently seek code-execution methods that not only evade detection by AV software but also cover tracks and remove evidence that could reveal the origins of the malicious code.  Different methods exist for achieving these objectives, and the high degree of extensibility in Windows provides plenty of options for the bad guys to exploit. (more…)

Hunting Down FTP Password Stealer Malware with Vinsula Execution Engine

Malware authors are getting increasingly creative in their attempts to bypass security controls and gain access to critical information by using tools such as password stealer malware to steal credentials and intercept web traffic. In this post, we build a Behavioral Profile of Password Stealer Malware Trojan.FTP.13809.A. (more…)

Trojan.Plague.13604.B – Behavioral Signature Analysis of Mutopy Malware using Vinsula

A critical part of recent malware binaries is the executable component responsible for downloading the actual malware from a designated malware server.

Our colleague, security researcher Mila Parkour, published a link to a great post at DeepEnd Research (posted by Andre M. DiMino) with some interesting results about a downloader/trojan dubbed Trojan.Plague.13604.B. This malware is a variation of Mutopy  – Win32 found by Sophos.

Trojan.Malaria.13002 – Malware Behavioral Signature Analysis

Given the widespread continued use of spear phishing campaigns, it generally wise to approach any emails containing attachments or links to archives with a heavy dose of caution—especially when the email comes from an unknown sender.

Over the last two days I received several emails from a sender that I didn’t recognize, and proceeded to analyze the attachment with our own Vinsula Execution Engine, allowing me quickly build a behavioral profile the potential malware. Not surprisingly, the report generated by Vinsula showed clear indications that the attachment is malicious. We have titled this malware Trojan.Malaria.13002. (more…)

The Social Engineering Behind a Malware Campaign


Many of you have experienced phishing attacks, which often come in the form of attempts to illicitly gather personal information by impersonating a person or organization that is a known entity to the target. This may come in the form of an email purporting to be from your bank that actually connects to a compromised web site being used to gather your bank login information, or an email pretending to be from a friend or relative who claims to be stranded in Cyprus without cash or credit cards, and is in desperate need of $3,000 to “get out of a bind.”  Attacks such as these have in the past been relatively easy for the moderately cautious netizen to recognize—one phone call can verify that a relative is at home in Jersey and not in Cyprus, and a close look at the link in the bank email usually reveals a URI that does not actually resolve to the bank’s servers. (more…)

Go to Top