Detecting extended attributes (ZeroAccess) and other Frankenstein’s monsters with HMFT
Jump to navigation
Jump to search
(Publication) Google search: [1]
Detecting extended attributes (ZeroAccess) and other Frankenstein’s monsters with HMFT | |
---|---|
Botnet | ZeroAccess |
Malware | |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2013 / 2013-01-25 |
Editor/Conference | Hexacorn |
Link | http://www.hexacorn.com/blog/2013/01/25/detecting-extended-attributes-zeroaccess-and-other-frankensteins-monsters-with-hmft/ (Archive copy) |
Author | |
Type |
Abstract
“ Similarly to Corey, I was very interested in researching EA, and I finally took some time tonight to have a deeper look at it myself. I actually wanted to dig in the code more than the $MFT artifacts alone not only to have something to write about (after all, Corey already covered everything! ), but also because I wanted to see how the EA is actually created and what system functions/APIs are used by malware. The reason behind this curiosity was improvement of my analysis tools and techniques, and a few other ideas that I will be quiet about for the moment.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2013BFR1288, editor = {Hexacorn}, author = {}, title = {Detecting extended attributes (ZeroAccess) and other Frankenstein’s monsters with HMFT}, date = {25}, month = Jan, year = {2013}, howpublished = {\url{http://www.hexacorn.com/blog/2013/01/25/detecting-extended-attributes-zeroaccess-and-other-frankensteins-monsters-with-hmft/}}, }