VB Blog

VB2018 paper: Anatomy of an attack: detecting and defeating CRASHOVERRIDE

Posted by   Martijn Grooten on   Mar 5, 2019

In December 2016, the CRASHOVERRIDE malware framework was used to cause a blackout in Ukraine. At VB2018 in Montreal, Dragos researcher Joe Slowik presented a detailed paper on the framework, explaining how the malware works and how it targets various protocols used to operate the electric grid. Today we publish both Joe's paper and the recording of his presentation.

Read more  

VB2018 presentation: Levelling up: why sharing threat intelligence makes you more competitive

Posted by   Helen Martin on   Mar 1, 2019

In a presentation at VB2018, Michael Daniel, President and CEO of the Cyber Threat Alliance, outlined exactly how threat sharing strengthens a company's competitive advantage. Today we release the recording of his presentation.

Read more  

The malspam security products miss: Emotet, Ursnif, and a spammer's blunder

Posted by   Martijn Grooten on   Feb 25, 2019

The set-up of the VBSpam test lab gives us a unique insight into the kinds of emails that are more likely to bypass email filters. This week we look at the malspam that was missed: a very international email with a link serving Emotet, an Italian Ursnif campaign with a password-protected ZIP and an email to which a clumsy spammer had attached a list of email addresses rather than a payload.

Read more  

VB2018 paper: The modality of mortality in domain names

Posted by   Martijn Grooten on   Feb 22, 2019

Domains play a crucial role in most cyber attacks, from the very advanced to the very mundane. Today, we publish a VB2018 paper by Paul Vixie (Farsight Security) who undertook the first systematic study into the lifetimes of newly registered domains.

Read more  

VB2018 paper: Analysing compiled binaries using logic

Posted by   Martijn Grooten on   Feb 20, 2019

Constraint programming is a lesser-known technique that is becoming increasingly popular among malware analysts. In a paper presented at VB2018 Thaís Moreira Hamasaki presented an overview of the technique and explained how it can be applied to the analysis of (potentially) malicious binaries. Today, we publish both Thaís' paper and the video of her presentation.

Read more  

Virus Bulletin encourages experienced speakers and newcomers alike to submit proposals for VB2019

Posted by   Martijn Grooten on   Feb 19, 2019

With a little less than a month before the deadline of the call for papers for VB2019, Virus Bulletin encourages submissions from experienced speakers and newcomers alike.

Read more  

VB2018 paper: Internet balkanization: why are we raising borders online?

Posted by   Helen Martin on   Feb 13, 2019

At VB2018 in Montreal, Ixia researcher Stefan Tanase presented a thought-provoking paper on the current state of the Internet and the worrying tendency towards raising borders and restricting the flow of information. Today we publish both his paper and the recording of his presentation.

Read more  

The malspam security products miss: banking and email phishing, Emotet and Bushaloader

Posted by   Martijn Grooten on   Feb 11, 2019

The set-up of the VBSpam test lab gives us a unique insight into the kinds of emails that are more likely to bypass email filters. This week we look at the malspam that was missed: banking and email phishing, Emotet and Bushaloader.

Read more  

VB2018 paper: Where have all the good hires gone?

Posted by   Helen Martin on   Feb 8, 2019

The cybersecurity skills gap has been described as one of the biggest challenges facing IT leaders today. At VB2018 in Montreal, ESET's Lysa Myers outlined some of the things the industry can do to help address the problem. Today we publish Lysa's paper and the recording of her presentation.

Read more  

Preview: Nullcon 2019

Posted by   Martijn Grooten on   Feb 5, 2019

We look forward the Nullcon 2019 conference in Goa, India, at which VB Editor Martijn Grooten will give a talk on the state of malware.

Read more  
Previous1...1213141516...215Next

Search blog

VB2017 video: Turning Trickbot: decoding an encrypted command-and-control channel

Trickbot, a banking trojan which appeared this year, seems to be a new, more modular, and more extensible malware descendant of the notorious Dyre botnet trojan. At VB2017, Symantec researcher Andrew Brandt presented a walkthrough of a typical Trickbot in…
Trickbot, first reported a year ago by Malwarebytes researcher Jérôme Segura as the successor of Dyre/Dyreza, has become perhaps the most important banking trojan of 2017. It is… https://www.virusbulletin.com/blog/2017/11/vb2017-video-turning-trickbot-decoding-encrypted-command-and-control-channel/

Ebury and Mayhem server malware families still active

Ebury and Mayhem, two families of Linux server malware, about which VB published papers back in 2014, are still active and have received recent updates.
Whether it is to send spam or to redirect web traffic to malicious payloads, compromised (Linux) web servers are the glue in many a malware campaign. Two such networks of… https://www.virusbulletin.com/blog/2017/10/ebury-and-mayhem-server-malware-families-still-active/

VB2017 preview: Offensive malware analysis: dissecting OSX/FruitFly.B via a custom C&C server

We preview Patrick Wardle's VB2017 paper, in which the Synack researcher analyses the mysterious OSX/FruitFly malware by setting up a custom C&C server.
Apart from the odd taxi driver loudly making the claim, the idea that "Macs don't get malware" has become something of the past. Nevertheless, most security researchers focus on… https://www.virusbulletin.com/blog/2017/09/vb2017-preview-offensive-malware-analysis-dissecting-osxfruitfly-custom-cc-server/

Hot FinSpy research completes VB2017 programme

Researchers from ESET have found a new way in which the FinSpy/FinFisher 'government spyware' can infect users, details of which they will present at VB2017 in Madrid.
The infamous FinSpy (or FinFisher) government spyware has managed to keep a low profile in recent years, though its use of two Microsoft zero-days (CVE-2017-0199 and… https://www.virusbulletin.com/blog/2017/09/hot-finspy-research-makes-vb2017-programme-complete/

VB2017 preview: Android reverse engineering tools: not the usual suspects

We preview the VB2017 paper by Fortinet researcher Axelle Apvrille, in which she looks at some less obvious tools for reverse engineering Android malware.
Six years ago (coincidentally the last time the VB conference was held in Spain) saw the first VB conference paper presented on Android malware, which at that time was still an… https://www.virusbulletin.com/blog/2017/09/vb2017-preview-android-reverse-engineering-tools-not-usual-suspects/

Malicious CCleaner update points to a major weakness in our infrastructure

Researchers from Cisco Talos have found that a recent version of the widely used CCleaner tool installed malware on the machine.
For the security community, 2017 might well be called the year of the update: two of the biggest security stories – the WannaCry outbreak and the Equifax breach – involved… https://www.virusbulletin.com/blog/2017/09/malicious-ccleaner-update-points-major-weakness-our-infrastructure/

Despite the profitability of ransomware there is a good reason why mining malware is thriving

Though ransomware is far more profitable than using a compromised PC to mine bitcoins, the global distribution of malware means that there are many botnets for which mining is the most efficient way to extract money out of a PC.
When, a few years ago, a friend and I were analysing a rather large botnet and we saw some network traffic indicating that it was engaged in Bitcoin mining, we felt rather… https://www.virusbulletin.com/blog/2017/09/despite-profitability-ransomware-there-good-reason-why-mining-malware-thriving/

VB2017 preview: Crypton - exposing malware's deepest secrets

We preview the VB2017 paper by Julia Karpin and Anna Dorfman (F5 networks), in which they present a tool to decrypt encrypted parts of malware.
Ask a programmer to perform the same task twice and they will write a tool that automates it. Malware analysts are no different, and the Virus Bulletin Conference has a long… https://www.virusbulletin.com/blog/2017/09/vb2017-preview-crypton-exposing-malwares-deepest-secrets/

VB2017 preview: Mariachis and jackpotting: ATM malware from Latin America

We preview the VB2017 presentation by Kaspersky Lab researchers Thiago Marques and Fabio Assolini in which they look at malware targeting ATMs in Latin America.
A few years ago, I saw an ATM being opened for the first time. "Hold on," I thought, "this is really just a Windows XP PC!" Suddenly, I realised that, to attack an ATM,… https://www.virusbulletin.com/blog/2017/08/vb2017-preview-mariachis-and-jackpotting-atm-malware-latin-america/

The WannaCry kill switch wasn't inserted to make someone a hero

Following the arrest of WannaCry hero Marcus Hutchings, suggestions have been made that he was behind the WannaCry malware itself, and that he inserted the kill switch to make himself a hero. This seems highly unlikely.
Almost three months after its damaging outbreak, the WannaCry malware remains shrouded in mystery. Last week's arrest of security researcher Marcus Hutchings, better known and… https://www.virusbulletin.com/blog/2017/08/wannacry-kill-switch-wasnt-inserted-make-someone-hero/

By removing VPNs from its Chinese App Store, Apple turns its biggest security asset against its users

To comply with Chinese laws, Apple has removed all iOS VPN apps from its Chinese app store. This means that the company uses iOS's strongest security asset, its tightly controlled App Store, against its own users.
A little over a month ago, Apple's iPhone celebrated its tenth birthday. The iPhone has been one of the biggest commercial success stories ever, but it has also been a great… https://www.virusbulletin.com/blog/2017/08/removing-vpns-its-chinese-app-store-apple-turns-its-biggest-security-asset-aggasnt-its-users/

48 hours after initial reports, many mysteries remain around the latest ransomware/wiper threat

Whether you call it Petya, NotPetya, Nyetya or Petna, there are still many mysteries surrounding the malware that has been causing havoc around the world.
"What's in a name? that which we call a rose By any other name would smell as sweet" Shakespeare's philosophising can equally be applied to malware, and whether you call it… https://www.virusbulletin.com/blog/2017/06/48-hours-after-initial-reports-many-mysteries-around-latest-ransomwarewiper-threat-remain/

VB2016 paper: Steam stealers: it's all fun and games until someone's account gets hijacked

Last year, Kaspersky Lab researcher Santiago Pontiroli and PwC's Bart Parys presented a VB2016 paper analysing the malicious threats faced by users of the Steam online gaming platform, and highlighting how organized criminals are making money with these p…
The online games market is huge, and the Steam platform is a huge player in that market. Users registered on the Steam platform use their credit cards to buy content, and… https://www.virusbulletin.com/blog/2017/06/vb2016-paper-steam-stealers-its-all-fun-and-games-until-someones-account-gets-hijacked/

Research paper shows it may be possible to distinguish malware traffic using TLS

Researchers at Cisco have published a paper describing how it may be possible to use machine learning to distinguish malware command-and-control traffic using TLS from regular enterprise traffic, and to classify malware families based on their encrypted C…
Researchers at Cisco have published a paper (PDF) describing how it may be possible to use machine learning to distinguish malware command-and-control (C&C) traffic using TLS from… https://www.virusbulletin.com/blog/2017/06/research-paper-shows-it-may-be-possible-distinguish-malware-traffic-using-tls/

Consumer spyware: a serious threat with a different threat model

Consumer spyware is a growing issue and one that can have serious consequences: its use is increasingly common in domestic violence. But do our threat models consider the attacker with physical access to, and inside knowledge of the victim?
We all know the risks of having a device infected with malware: an anonymous adversary far away can encrypt your files and hold them to ransom; they can steal your personal data… https://www.virusbulletin.com/blog/2017/04/consumer-spyware-serious-threat-different-threat-model/

VB2016 paper: Debugging and monitoring malware network activities with Haka

In their VB2016 paper, Stormshield researchers Benoît Ancel and Mehdi Talbi introduced Haka, an open-source language to monitor, debug and control malicious network traffic. Both their paper and the video recording of their presentation are now available …
Anyone who has ever analysed malware through its network communications will knows that this often involves ad-hoc scripts in languages like Python or Perl to decode the traffic.… https://www.virusbulletin.com/blog/2017/04/vb2016-paper-debugging-and-monitoring-malware-network-activities-haka/

VB2016 paper: One-Click Fileless Infection

Symantec researchers Himanshu Anand and Chastine Menrige explain how a single click can lead to a compromised machine, without malware ever being stored on disk.
Over the last few years, we have seen a sharp increase in 'fileless' infections, where a machine is compromised without a malicious file ever being written to disk. Though not… https://www.virusbulletin.com/blog/2017/03/vb2016-paper-one-click-fileless-infection/

VB2016 video: Nymaim: the Untold Story

Until very recently, the Nymaim banking trojan was a serious problem in Poland. Today, we publish the video of the VB2016 presentation by CERT Polska researchers Jarosław Jedynak and Maciej Kotowicz, in which they analyse this malware-dropper-turned-banki…
Every year, the Virus Bulletin conference programme includes a number of 'last-minute' papers: presentations on topics that are so hot, they are added to the programme only a few… https://www.virusbulletin.com/blog/2017/02/vb2016-video-nymaim-untold-story/

VB2016 paper: Great crypto failures

Crypto is hard, and malware authors often make mistakes. At VB2016, Check Point researchers Yaniv Balmas and Ben Herzog discussed the whys and hows of some of the crypto blunders made by malware authors. Today, we publish their paper and the recording of …
"More malware is using cryptography, and more malware is using better cryptography," said Check Point researcher Yaniv Balmas on stage during VB2016. While the increased use of… https://www.virusbulletin.com/blog/2017/01/vb2016-paper-great-crypto-failures/

Ransomware would be much worse if it wasn't for email security solutions

The latest VBSpam test brings good news: at least 199 out of every 200 emails containing a malicious attachment were blocked by email security solutions. All of the full solutions tested achieved a VBSpam award, with five earning a VBSpam+ award.
Many experts believe that ransomware is set to become an even worse problem in 2017 than it was in 2016 — which is rather bad news, given the damage it has already done. Still,… https://www.virusbulletin.com/blog/2017/01/ransomware-would-be-so-much-worse-if-it-wasnt-email-security-solutions/

« Previous 1234567 Next »

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.