Tag: file infector

Paper: The Hulk

Raul Alvarez studies cavity file infector. Most file infectors increase the length of the infected file, as the malicious code is added as a new section of the host file, or to the last section of that file. ‘Cavity’ file infectors are different though: they infect files without increasing their size. Today, we publish a…

October 8, 2014
Paper: Bird’s nest

Raul Alvarez studies the Neshta prepending file infector. File infectors can be categorized by how they attach themselves to the host file. A cavity virus attaches itself to the available spaces in the host file; an appending virus attaches its code at the end of a file; and a prepending virus does so at the…

August 21, 2014
Paper: API-EPO

Raul Alvarez studies the unique EPO methodology used by the W32/Daum file infector. A few months ago, we published an article by Fortinet ‘s Raul Alvarez on the Expiro file infector, which uses an EPO (entry-point obscuring) technique in an attempt to avoid heuristic detection. In EPO, a file infector doesn’t simply change the entry…

July 14, 2014