Inside a Kippo honeypot: how the billgates botnet spreads

A few months ago I decided to install a honeypot to find some new threat and to collect some new malware to be analyzed. There are several honeypot I had in mind to try, but for now I have chosen Kippo. From the Kippo’s homepage: “Kippo is a medium interaction SSH honeypot designed to log brute […]

In depth analysis of Caphaw/Shylock from “FirefoxUpdate.exe” campaign – Part 3

We are finally at the end of our Caphaw/Shylock analysis. This time we will deal entirely with the code injected into explorer.exe process, the context will be a little more complex than previous episodes because we will work within a multithreaded environment. The injected code will identify an active domain (DGA based) in order to download other […]

In depth analysis of Caphaw/Shylock from “FirefoxUpdate.exe” campaign – Part 1

In this essay we will perform an in-depth analysis (from the unpacking to explorer.exe code injection) of the most recent version of Caphaw/Shylock, a banking malware that, at the time of discovery, was ranked as FUD (Fully UnDetected) by VirusTotal. The article will cover the following topics: Analysis of the packer and related unpacking. Reverse […]

Artro Botnet Anatomy Overview

Following the idea of knowledge sharing, here another article taken from my private blog and shared for our readers. Some time ago, while talking with Roman from, we found it necessary to give a more in depth look of a very active Botnet named Artro ( executable commonly identified as Win32/Renos or Trojan-Downloader.Win32.CodecPack ) […]