Patrick Fitzgerald's blog

W32.Stuxnet has received a lot of media attention over the last few days. This incident provides almost a complete case study of how these attacks succeed and how they will probably be used in the future. A successful attack allowed the attacker to steal confidential SCADA design and usage documents.

Our previous blog entries about W32.Qakbot gave details about how the threat works, how it spreads, and its capabilities for stealing information.

If you have been following this series on Trojan.Hydraq over the last week you may have noticed that the blog entries have been well, boring.

At this stage we’ve looked at several features of Hydraq, including its obfuscation techniques and how it remains on an infected system. So, what control does the attacker have over a compromised system?

Backdoor Functionality

Yesterday’s blog spoke about the obfuscation techniques employed by Trojan.Hydraq.  As it turns out these techniques are not new, had been used by various malware in the past, and are not too tricky to get around.  This entry examines the techniques employed by this threat in order to stay active on a compromised computer and survive a restart.

While Trojan.Hydraq has been described as sophisticated, the methods used to obfuscate the code are relatively straight forward to deobfuscate.  Trojan.Hydraq has spaghetti code, which is a technique used to make analyzing the code of program more difficult.  The basic blocks of a function are identified, and then completely rearranged so one cannot easily follow the code in a linear

Over the last few days there have been many articles written about an issue in Microsoft’s Internet Information Services (IIS).  This issue allows an attacker to bypass normal security restrictions when uploading a file to a Web application running on a vulnerable version of IIS.  This issue could allow an attacker to upload a

Once again Zeus is up to its old tricks with a new twist.  The latest spam run informs users that their latest Social Security statement is available but it may contain errors.  The subject of the mail will be something like “Review annual Social Security statement“ and the body warns of a potential identity theft risk and asks you to review your annual statement at the li

While looking through some recent customer submissions a particular filename caught my attention. It was called “googlewaveinvitegenerator.exe”. Google Wave is a new communication application being developed by Google. Many people who missed the initial sign up for this application are now seeking invites to the service.