Hello, welcome to the Monday, November 14th, 2016 edition of the Sands and the Storms and a Stormcast.

My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

Last week, the DA was writing about malware that was using a process replacement technique

in order to hide itself from whitelisting protection.

Well, one of the questions that came up from readers was whether or not EMIT will actually prevent

this malware from working. And turns out, indeed, in its default configuration, EMIT will

prevent this from working if you have the

export address table access filtering or short EAF enabled and that's enabled by

default for word that will block this exploit technique and just terminate the

word process without having the final part of the

exploit execute.

Of course the visual basic script will still run.

It just can't pull off this process switching trick in the end.

And with all the attention spent to Mira and its variants, it's easy to forget, there's

still other stuff happening as well. Ghee is seeing lately a lot of Bitcoin miners being

uploaded to weekly configured FTP servers. He's using Honeypot to collect samples. You have seen Bitcoin miners and of course

yes Bitcoin is still a thing and Bitcoin mining can still make you some money

in particular if you're using someone else's computer. You typically notice that a

Bitcoin miner is running on a system just based on the system running slower overall

and pecking out its CPU load.

Now, proactively, what you may want to do is just scan your environment for FTP servers

and then of course check for weak passwords.

...