Malware teardowns, memory forensics, mobile-security and vulnerability analysis written by Zubair Ashraf during his years on IBM’s X-Force research team. Originally published on IBM SecurityIntelligence (2013–2015) and preserved here.
These articles were originally published on IBM SecurityIntelligence. IBM has since retired that site; each piece below is reproduced from its archived copy, with a link back to the original snapshot on the Internet Archive.
Hunting the Rombertik malware in memory with Volatility, CrowdInspect and AutoRuns — detecting code hooks and injected threads on a live host.
A deep look at the Apache Struts Parameters and Cookie interceptor flaws — how they work, their impact, and how they were exploited.
Why advanced attacks can't be stopped by signatures alone, and how big-data security analytics shifts defenders toward probabilistic detection.
Demonstrating how an Android device could report itself MDM-compliant — passcode and all — without actually having a password set.
Part 2 of the OBAD teardown: how the trojan abuses Device Administrator privileges to hide itself and resist uninstallation.
Notes from a State-of-the-Hack panel with Kevin Mandia — what the Mandiant / CrowdStrike / FireEye view said about the attacker–defender gap.
A look back at Bruce Schneier's talk on incident response — why detection and response, not just prevention, define modern security.
Mikko Hyppönen at TrustyCon on governments as malware authors, and what state-sponsored offense means for everyone else's trust model.
Part 1 of a hands-on Android malware teardown: setting up the tools and beginning to reverse the heavily-obfuscated OBAD trojan.
A plain explanation of the Android “master key” signature-verification bug that let attackers modify a signed APK without breaking its signature.
Memory forensics of the Zeus banking trojan with the Volatility framework — finding the malware's footprint in a RAM image.