Results for windows

Threat Research

WINS Server Remote Memory Corruption Vulnerability in Microsoft Windows Server

Summary In December 2016, FortiGuard Labs discovered and reported a WINS Server remote memory corruption vulnerability in Microsoft Windows Server. In June of 2017, Microsoft replied to FortiGuard Labs, saying, "a fix would require a complete overhaul of the code to be considered comprehensive. The functionality provided by WINS was replaced by DNS and Microsoft has advised customers to migrate away from it." That is, Microsoft will not be patching this vulnerability due to the amount of work that would be required. Instead, Microsoft...

By Honggang RenJune 14, 2017

Threat Research

Deep Analysis of Esteemaudit

A Windows 2003 RDP Zero Day Exploit In this blog, the FortiGuard team takes a look at Esteemaudit, which is an exploit that was included in the set of cybertools leaked by the hacker group known as "Shadow Brokers." They claim that they collected this set of cybertools from the compromised data of "Equation Group," a threat actor alleged to be tied to the United States National Security Agency (NSA). Esteemaudit is a Remote Desktop Protocol (RDP) exploit that targets Microsoft Windows Server 2003 / Windows XP. The vulnerability...

By Dehui YinMay 11, 2017

Threat Research

Deep Analysis of New Emotet Variant – Part 2

This is the second part of FortiGuard Labs’ deep analysis of the new Emotet variant. In the first part of the analysis we demonstrated that by bypassing the server-side Anti-Debug or Anti-Analysis technique we could download three or four modules (.dll files) from the C&C server. In that first blog we only analyzed one module (I named it ‘module2’). In this blog, we’ll review how the other modules work. Here we go.

By Xiaopeng ZhangMay 09, 2017

Threat Research

Deep Analysis of New Emotet Variant – Part 1

Background Last week, FortiGuard Labs captured a JS file that functions as a malware downloader to spread a new variant of the Emotet Trojan. Its original file name is Invoice__779__Apr___25___2017___lang___gb___GB779.js.  A JS file, as you may be aware, is a JavaScript file that can be executed by a Window Script Host (wscript.exe) simply by double-clicking on it. In this blog we will analyze how this new malware works by walking through it step by step in chronological order. A JS file used to spread malware The original JS code...

By Xiaopeng ZhangMay 03, 2017

Threat Research

Microsoft Word File Spreads Malware Targeting Both Mac OS X and Windows (Part II)

In the blog we posted on March 22, FortiGuard Labs introduced a new Word Macro malware sample that targets both Apple Mac OS X and Microsoft Windows. After deeper investigation of this malware sample, we can confirm that after a successful infection the post-exploitation agent Meterpreter is run on the infected Mac OS X or Windows system. Meterpreter is part of the Metasploit framework. More information about Meterpreter can be found here. For this to work, the attacker’s server must be running Metasploit as the controller to control the...

Industry Trends

Server 2003 - Out With a Whimper...The Bang Will Come Later

I've kept more than my share of legacy systems alive over the years. Sometimes they've running applications that aren't compatible with newer operating systems. More often, there simply isn't the time or money to deal with an upgrade. But with the end of support for Microsoft Server 2003 coming and going this week, I can't help but wonder at the sheer number of businesses still running the OS or what appears to be a general sense of apathy over its end of life.     As Fahmida Rashid over at PCMag put it, "...Windows...

By Chris DawsonJuly 17, 2015

By Michael PernaNovember 14, 2014

Threat Research

Tinba Turns 64

A few months ago, Tinba’s source code was leaked in the wild. It is now inevitable that a different and enhanced version of it is out there. Tinba, also known as Tiny Banker, made its debut a couple of years ago. Though it is small, it is capable of doing what its big brothers can do. For more details on some of its features, you can read my article posted on Virus Bulletin. 64-bit Injected Code As expected, we have seen some new changes added to the original malware. Tinba is now capable of injecting its code into a 64-bit running process. The...

By Raul AlvarezOctober 06, 2014

By Michael PernaMay 24, 2014

By Michael PernaApril 12, 2014