Detecting extended attributes (ZeroAccess) and other Frankenstein’s monsters with HMFT
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
(Publication) Google search: [1]
Detecting extended attributes (ZeroAccess) and other Frankenstein’s monsters with HMFT | |
---|---|
Botnet | ZeroAccess |
Malware | |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2013 / 2013-01-25 |
Editor/Conference | Hexacorn |
Link | http://www.hexacorn.com/blog/2013/01/25/detecting-extended-attributes-zeroaccess-and-other-frankensteins-monsters-with-hmft/ (Archive copy) |
Author | |
Type |
Abstract
“ Similarly to Corey, I was very interested in researching EA, and I finally took some time tonight to have a deeper look at it myself. I actually wanted to dig in the code more than the $MFT artifacts alone not only to have something to write about (after all, Corey already covered everything! ), but also because I wanted to see how the EA is actually created and what system functions/APIs are used by malware. The reason behind this curiosity was improvement of my analysis tools and techniques, and a few other ideas that I will be quiet about for the moment.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2013BFR1288, editor = {Hexacorn}, author = {}, title = {Detecting extended attributes (ZeroAccess) and other Frankenstein’s monsters with HMFT}, date = {25}, month = Jan, year = {2013}, howpublished = {\url{http://www.hexacorn.com/blog/2013/01/25/detecting-extended-attributes-zeroaccess-and-other-frankensteins-monsters-with-hmft/}}, }