Detecting extended attributes (ZeroAccess) and other Frankenstein’s monsters with HMFT

From Botnets.fr
Jump to navigation Jump to search

(Publication) Link to the old Wiki page : [1] / Google search: [2]

Detecting extended attributes (ZeroAccess) and other Frankenstein’s monsters with HMFT
Botnet ZeroAccess
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2013 / 2013-01-25
Editor/Conference Hexacorn
Link http://www.hexacorn.com/blog/2013/01/25/detecting-extended-attributes-zeroaccess-and-other-frankensteins-monsters-with-hmft/ (Archive copy)
Author
Type

Abstract

Similarly to Corey, I was very interested in researching EA, and I finally took some time tonight to have a deeper look at it myself. I actually wanted to dig in the code more than the $MFT artifacts alone not only to have something to write about (after all, Corey already covered everything! ), but also because I wanted to see how the EA is actually created and what system functions/APIs are used by malware. The reason behind this curiosity was improvement of my analysis tools and techniques, and a few other ideas that I will be quiet about for the moment.

Bibtex

 @misc{empty2013BFR1288,
   editor = {Hexacorn},
   author = {},
   title = {Detecting extended attributes (ZeroAccess) and other Frankenstein’s monsters with HMFT},
   date = {25},
   month = Jan,
   year = {2013},
   howpublished = {\url{http://www.hexacorn.com/blog/2013/01/25/detecting-extended-attributes-zeroaccess-and-other-frankensteins-monsters-with-hmft/}},
 }