Author: Sanchit Karve

Sanchit Karve

The W32/Worm-AAEH family (aliases: Beebone, VObfus, Changeup) of Trojans/downloaders/worms has been notorious for consistently morphing itself and switching control servers since June 2009. In June 2013, the AAEH worm made its biggest cosmetic change since 2009 by packaging an entire encrypted binary (containing all the malicious W32/Worm-AAEH code) inside its signature cryptor, which previously held only […]

The Dofoil downloader (found in the wild since 2011) occasionally updates itself with new features and encryption techniques to hide communications with its control servers. The latest iteration uses a variation of XOR and RC4 algorithms similar to previous variants to encrypt the list of control servers within the binary and encrypt all traffic with […]

McAfee Labs has recently come across a number of malware samples that drop Zbot and Necurs rootkits. These use a discreet technique to intentionally crash Windows XP. Interestingly, the malware achieves its OS awareness without using any standard Windows API functions. Instead, it relies on the differences in default register values as well as its […]

  Update: 4/11/2014 McAfee’s Heartbleed Test tool has been posted and enables users to test sites for the presence of this vulnerability. ———- A recent vulnerability in OpenSSL is causing quite a stir. Documented as CVE-2014-0160, this vulnerability has a significant impact on the perceived security of a number servers across the globe. One of […]

Last week, we noticed thousands of malware files in the wild that employ a simple phishing attack by modifying the hosts file on Windows systems. What’s interesting, however, is the technique chosen by the malware authors to distribute their payload. The samples in question (Example MD5: 34d9b42bfd64c6f752fe27eef8d80c5f) are packaged in a ZIP file along with […]