Aleksandr Matrosov

Aleksandr Matrosov

Security Intelligence Team Lead


Education: Master of Information Security (2007) at National Nuclear Research University "MEPHI" Bachelor of Electronics (2001) at Moscow College of Management and New Technologies

Highlights of your career? I have more than ten years of experience with malware analysis, reverse engineering and advanced exploitation techniques. Worked as a security researcher since 2003 for major Russian IT companies. Frequently invited to speak at major security conferences with hardcore technical stuff.

Position and history at ESET? I joined the company in October 2009 as a Senior Malware Researcher and am currently working as Security Intelligence Team Lead. My team researches the most complex threats.

What malware do you hate the most? Stuxnet and Flame families for tons of C++ code.

Favorite activities? Reverse engineering, automation of RE processes and research in modern exploitation techniques.

What is your golden rule for cyberspace? Don't trust anybody, because you don’t know who is really sitting on other side of the communication channel and bad guys can play with your trust.

When did you get your first computer and what kind was it? My first experience with personal computers was with a ZX Spectrum in 1992. My first PC with i486DX4 on the board was purchased in 1995.

Favorite computer game/activity? I like cyberpunk computer game series as System Shock and Deus Ex. But lately my favorite computer game has been IDA Pro disassembler ;)


26 articles by Aleksandr Matrosov

ESET research

What do Win32/Redyms and TDL4 have in common?

What do Win32/Redyms and TDL4 have in common?

ESET research

What do Win32/Redyms and TDL4 have in common?

At the beginning of January 2013, we started tracking the interesting Win32/Redyms trojan family. Redyms is notable for changing search results from popular search engines on infected machines.

Aleksandr Matrosov04 Feb 20132 min. read


ESET research

Win32/Gapz: steps of evolution

Win32/Gapz: steps of evolution

ESET research

Win32/Gapz: steps of evolution

Win32/Gapz has a new technique for code injection and a new VBR infection method. The dropper has many tricks for bypassing detection by security software.

Aleksandr Matrosov27 Dec 20125 min. read


ESET research

Win32/Spy.Ranbyus modifying Java code in RBS Ukraine systems

Win32/Spy.Ranbyus modifying Java code in RBS Ukraine systems

ESET research

Win32/Spy.Ranbyus modifying Java code in RBS Ukraine systems

Win32/Spy.Ranbyus shows how it is possible to bypass payment transaction signing/authentication with smartcard devices and has started to modify java code in one of the most popular remote banking systems (RBS) in the Ukraine.

Aleksandr Matrosov19 Dec 20122 min. read


ESET research

Olmasco bootkit: next circle of TDL4 evolution (or not?)

Olmasco bootkit: next circle of TDL4 evolution (or not?)

ESET research

Olmasco bootkit: next circle of TDL4 evolution (or not?)

Analysis of the Olmasco bootkit: a TDL4 variation with an interesting approach to dropper technology

Aleksandr Matrosov18 Oct 20124 min. read


ESET research

Defeating anti-forensics in contemporary complex threats

Defeating anti-forensics in contemporary complex threats

ESET research

Defeating anti-forensics in contemporary complex threats

Alexandr Matrosov summarizes the evolution of complex threats using hidden storage, as discussed in his presentation with Eugene Rodionov at Virus Bulletin 2012.

Aleksandr Matrosov11 Oct 20124 min. read


ESET research

Flamer Analysis: Framework Reconstruction

Flamer Analysis: Framework Reconstruction

ESET research

Flamer Analysis: Framework Reconstruction

Aleksandr Matrosov looks at the internal architecture of Win32/Flamer's mssecmgr.ocx module.

Aleksandr Matrosov02 Aug 20124 min. read


ESET research

Rovnix.D: the code injection story

Rovnix.D: the code injection story

ESET research

Rovnix.D: the code injection story

Detailed analysis of Rovnix.D reveal updates to the code injection technique employed, allowing multiple injections with a variety of payloads.

Aleksandr Matrosov27 Jul 20124 min. read


ESET research

Flame, Duqu and Stuxnet: in-depth code analysis of mssecmgr.ocx

Flame, Duqu and Stuxnet: in-depth code analysis of mssecmgr.ocx

ESET research

Flame, Duqu and Stuxnet: in-depth code analysis of mssecmgr.ocx

Analysis of the Flame worm (Win32/Flamer) reveals some interesting facts about the internal structure of its main module.

Aleksandr Matrosov20 Jul 20129 min. read


ESET research

Rovnix bootkit framework updated

Rovnix bootkit framework updated

ESET research

Rovnix bootkit framework updated

Changes in the threatscape as regards exploitation of 64-bit systems, exemplified by the latest modifications to the Rovnix bootkit.

Aleksandr Matrosov13 Jul 20126 min. read