Detecting extended attributes (ZeroAccess) and other Frankenstein’s monsters with HMFT

From Botnets.fr
Revision as of 11:46, 31 July 2015 by Eric.freyssinet (talk | contribs) (Text replacement - "/ www." to "/ |Site=www.")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

(Publication) Google search: [1]

Detecting extended attributes (ZeroAccess) and other Frankenstein’s monsters with HMFT
Botnet ZeroAccess
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2013 / 2013-01-25
Editor/Conference Hexacorn
Link http://www.hexacorn.com/blog/2013/01/25/detecting-extended-attributes-zeroaccess-and-other-frankensteins-monsters-with-hmft/ (Archive copy)
Author
Type

Abstract

Similarly to Corey, I was very interested in researching EA, and I finally took some time tonight to have a deeper look at it myself. I actually wanted to dig in the code more than the $MFT artifacts alone not only to have something to write about (after all, Corey already covered everything! ), but also because I wanted to see how the EA is actually created and what system functions/APIs are used by malware. The reason behind this curiosity was improvement of my analysis tools and techniques, and a few other ideas that I will be quiet about for the moment.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2013BFR1288,
   editor = {Hexacorn},
   author = {},
   title = {Detecting extended attributes (ZeroAccess) and other Frankenstein’s monsters with HMFT},
   date = {25},
   month = Jan,
   year = {2013},
   howpublished = {\url{http://www.hexacorn.com/blog/2013/01/25/detecting-extended-attributes-zeroaccess-and-other-frankensteins-monsters-with-hmft/}},
 }