Webroot Retired ThreatBlog Member - Marco Giuliani

Marco Giuliani

Role: Retired ThreatBlog Member
Threat Blog Posts: 6

Experienced malware analyst and kernel developer, I’ve analyzed the most widespread rootkits like Gromozon rootkit, MBR Rootkit, Rustock rootkit, TDL3/4 rootkit, ZeroAccess rootkit, BIOS rootkit and many others. I have designed and developed many rootkit removal tools, along with generic anti-rootkit engine technologies.



Posts by Marco Giuliani:

Wirenet: The Password-Stealing Trojan Lands on Linux and OS X

by

No matter what people think about it, the increasing exposure of Linux and OS X to malicious code is strictly related to the worldwide exposure of those operating systems on desktops and laptops. In the last couple of years, more and more home users decided to switch to Linux (e.g. Ubuntu Linux, just to name one of the best known Linux distributions) or OS X. Most of these users, when questioned about why they switched from Windows to another operating system, usually answer by blaming Windows’ critical exposure to malware. However, this increasing trend has been followed by many virus […]

Continue Reading »

CloudOnomics

by

By Ian Moyse Moore’s Law back in 1965 predicted silicon power would double every two years. But what its creator, Gordon E. Moore, couldn’t have predicted was the dramatic economies of scale the cloud would eventually bring to all of our lives. For one, it’s helped lead to a drop in price for essentials like computing power and storage by making them more accessible. But also, it’s enabled conveniences no one ever would have imagined four or so decades ago. Today we’re able to use a mobile device with massive power and local storage to locate and download from virtually […]

Continue Reading »

Mebromi: the first BIOS rootkit in the wild

by

By Marco Giuliani In the past few weeks a Chinese security company called Qihoo 360 blogged about a new BIOS rootkit hitting Chinese computers. This turned to be a very interesting discovery as it appears to be the first real malware targeting system BIOS since a well-known proof of concept called IceLord in 2007. The malware is called Mebromi and contains a bit of everything: a BIOS rootkit specifically targeting Award BIOS, a MBR rootkit, a kernel mode rootkit, a PE file infector and a Trojan downloader. At this time, Mebromi is not designed to infect 64-bit operating system and it is not […]

Continue Reading »

TDL3 and ZeroAccess: More of the Same?

by

By Marco Giuliani In our previous technical analysis of the ZeroAccess rootkit, we highlighted how it acts as a framework by infecting the machine — setting up its own private space in the disk, first through a dedicated file system on the disk, and more recently by using a hidden and locked directory. This is where the rootkit stores the modules it downloads from the command and control servers. Until now, the plugins we’ve monitored have been ad-clickers and search engine hijackers. We have also noted how the ZeroAccess rootkit acts very similar to the TDL3 rootkit, either by infecting […]

Continue Reading »

ZeroAccess Rootkit Guards Itself with a Tripwire

by

By Marco Giuliani The latest generation of a rapidly evolving family of kernel-mode rootkits called, variously, ZeroAccess or Max++, seems to get more powerful and effective with each new variant. The rootkit infects a random system driver, overwriting its code with its own, infected driver, and hijacks the storage driver chain in order to hide its presence on the disk. But its own self-protection mechanism is its most interesting characteristic: It lays a virtual tripwire. I’ve written about this rootkit in a few recent blog posts and in a white paper. On an infected computer, this new driver sets up […]

Continue Reading »

Removing Popureb Doesn’t Require a Windows Reinstall

by

By Marco Giuliani Last Wednesday, Microsoft published a blog post detailing a significant update to a piece of malware named Popureb. The malware adds code to the Master Boot Record, or MBR, a region of the hard disk that’s read by the PC during bootup, long before the operating system has had a chance to get started. Researchers sometimes refer to these kinds of malware as bootkits, or a rootkit which loads at such a low level during the boot process that it is invisible to the operating system, and therefore very difficult to remove. Microsoft researcher Chun Feng detailed […]

Continue Reading »