Recently published blog posts:
Go to the blog archive and browse all previous blog posts we have published so far.
Subscribe to the GovCERT.ch blog RSS feed to stay up to date and get notified about new blog posts.
Recently published whitepapers:
Subscribe to the whitepapers RSS feed to stay up to date and get notified about new whitepapers.
Report an incident: incidents[at]govcert{dot}chGeneral inquiries: outreach[at]govcert{dot}ch
The following email address can be considered as point of contact for FIRST members and other CERTs/CSIRTs:incidents[at]govcert{dot}ch
GovCERT.ch PGP-Key (preferred) Alternative GovCERT.ch PGP Key (for older versions of PGP without Curve25519 support) GovCERT.ch SMIME
After reading the a blog post on Malwarebytes describing Fobber, a new variant of Tinba, we wanted to have a look at it ourselves. Fobber uses an interesting and unusual approach to make static analysis harder: we’ll try to explain it and give hints on how to recover the original un-encrypted shellcode. Furthermore we analysed all injection stages used by the malware and described what kind of shellcode run within each injected code.
Fobber Analysis
Published on September 11, 2015 | Filesize: 790 KB | Type: PDF Language: EN | Version: v1.0
Back to top
