Anatomy of a new 64 bit file infector

Expiro file infector cover image

Hi all!

I am still alive 🙂 . I am proud to release here my last analysis about a multi-architecture file infector. It’s name is Expiro. This analysis is the first I made as an independent security researcher and it’s not related to any company. I hope that it can be useful for all others security researchers like me.

Here is the complete document:

I have deep inspected Expiro dropper because I was very curious to deep understand what a new polymorphic file infector can do. By the way I have found a lot of weak point in its infection code…
Enjoy the analysis, and please let me know what do you think about it, feel free even to send me any comments and suggestions…