I work for Contraste Europe.
My Microsoft Certified Professional Transcript.
Use Transcript ID 677470 and Access Code didierstevens
Check my CISSP status: click here and type my last name: Stevens
Check my GSSP-C status: click here and look for my name Didier Stevens
Check my RHCT status: click here
Publications
- Reviewer of a Microsoft whitepaper: Applying the Principle of Least Privilege to User Accounts on Windows XP
- (IN)SECURE Magazine Issue 10 page 72: ROT13 is used in Windows? You’re joking!
- (IN)SECURE Magazine Issue 15 page 87: Hiding Inside a Rainbow.
- Hakin9 Issue 1/2009: Basic Process Manipulation Tool Kit
Thought this might be of intrest to you, and I didn’t know where else to post this.
The world’s most sophisticated Trojan uncovered!
Security experts have discovered new spambot software that installs its own
anti-virus scanner to eliminate competition, alongside a number of other
sophisticated features.
SecureWorks has described the Trojan, which it calls SpamThru, in detail. Others
vendors have come up with different names for the software. One of the signs of
its sophistication though is that few anti-virus scanners are aware of it.
SpamThru is a money-making operation, and the author takes great care to
make sure that detection by the major vendors is avoided by frequently updating
the code.
SpamThru is a Trojan that turns a system into part of a network of bots designed
to send out spam, a type of operation that’s been around for several years.
While the Trojan’s network doesn’t seem especially large so far - at a couple of
thousand of bots - SpamThru shows that criminals are now able to treat spam
software development just like any other commercial development endeavour,
Stewart said.
“The complexity and scope of the project rivals some commercial software,” he
wrote. “Clearly the spammers have made quite an investment in infrastructure in
order to maintain their level of income.” The company has come across previous
Trojans that attempt to switch off other malware, in order to maximise system
resources, but SpamThru installs a pirated version of Kaspersky AntiVirus for
WinGate, customised to skip files known to be part of SpamThru itself, naturally.
It patches the license signature check in-memory in the Kaspersky DLL in order
to avoid having Kaspersky refuse to run due to an invalid or expired license,”
Stewart wrote. It uses a custom peer-to-peer protocol to control communication
with the network, which makes the bot network harder to kill. “Control is still
maintained by a central server, but in case the control server is shut down, the
spammer can update the rest of the peers with the location of a new control
server, as long as he/she controls at least one peer.
Each client has its own spam engine, creating spam from a template that’s
transmitted usiung AES encryption to avoid giving access to competing
spammers, SecureWorks said.
Comment by cynik — Saturday 28 October 2006 @ 2:38
Help ME! I can’t get rid of this stupid trojan on my computer. I have done a ton of scans using things like Spyhunter and Norton Spyware scan, and I’ve tried using the Add/Remove programs, but I still have the trojan. Throughout my many scans I deleted all the parasites/viruses and none of them came back except one. The trojan virus called Zlob. The virus/trojan causes my default home page to be replaced with this Internet Security, Windows XP vulnerable, caution page. Also I keep getting this pop-up that says my computer has a W32.Myzor.FK@yf virus. I don’t know what else to do. Can you please email me ASAP and give some kind of useful recommendation. Thank you.
Comment by Nam Tran — Thursday 8 March 2007 @ 1:10
The best thing you can do is post your problem on a high-volume
malware removal forum, like http://forums.spywareinfo.com/
Comment by Didier Stevens — Thursday 8 March 2007 @ 7:59