Very interesting malware, would be cool to see which HIPS/BB could block it. It seems to perform stealth code injection, API hooking and a form of process hollowing. Too bad that MRG doesn't test this kind of malware. In theory, tools like Zemana, SpyShelter and HMPA should be able to block these type of techniques. But can they deliver, that's the question.
You need to stop the malware in the initial stages. Per the FireEye article: You can read about AutoIt here: https://www.autoitscript.com/site/autoit/
No, you're misunderstanding. Obviously, if you block malware from running it's game over, but I'm more interested in pre-execution protection. So even if this malware is able to run, behavior blockers should be able to block or interfere with stuff like API hooking. Would be interesting to see if for example SpyShelter could interfere with the browser hooks. It's a shame that no one is testing this kind of malware.
It doesn't do API hooking, it does Function hooking. Again per the FireEye article: Function hooking works almost identical to Detours: http://resources.infosecinstitute.com/api-hooking-detours/
Actually, I believe both are kind of the same. But it doesn't matter much, because no matter how you hook, the end goal is the same. Tools like SpyShelter and HMPA should protect and monitor the browser hooks that were mentioned in the FireEye article.
