Category: Malware

Detecting Malicious Microsoft Office Macro Documents

For the past few months I have been looking into macro enabled Office documents and during that time I have detected hundreds of malicious documents. This post just highlights what to look out for so it might benefit some of you if deciding to notify or quarantine mail in your environment. I’ve also did a…


Anti-Rootkit scanner tools

Here are some well known anti-rootkit scanners that are a must have in your tools collection. Its always good to have a couple of anti-rootkit scanners as you might find some scanners may not detect all rootkits. The download links are for those versions mentioned in the table at the time of this post so…


Hiding malicious files in Windows folders

The desktop.ini is a standard text file that can be placed in any Windows folder to customize certain aspects of the folders behaviour, i.e. what the folder icon should be, what folder name to display, etc. The desktop.ini file is normally a hidden file so to display existing ones in folders you’ll need to make…


Adobe 0-day vulnerability embedded malware (CVE-2010-1297)

After a week of this 0-day vulnerability being reported a number of posts have been published over the last few days detailing the disassembled malicious flash (swf) file exposing the invalid byte triggering the vulnerability. The vulnerability is caused when handling a “newfunction” instruction by Adobe’s ActionScript Virtual Machine 2 (AVM2). The vulnerability lies in…


Fake Antivirus “Security Tool” terminating new processes

This fake antivirus software calling itself “Security Tool” intercepts binary files at the point of execution terminates it. Weather it be a bat, com or exe extension the fake av terminates them upon execution. This can be very frustrating when trying to remove this malware on a standalone machine. Fortunately not all processes get terminated;…


Fake Antivirus “XP Guardian 2010” exe hijacking

Another fake antivirus software calling itself “XP Guardian 2010” is doing its rounds displaying bogus pop-ups and fake scans enticing you to buy its product. What is interesting about this malware is that this one changes the machine exe associations in the Windows registry. When any executable with an exe extension is manually or automatically…