Microsoft Malware Protection Center

Threat Research & Response Blog

August, 2008

  • Manufacturing Fear

    We’ve seen some particularly nasty malware recently that has prompted me to think about how people react to scare tactics and fear appeals. The kind of malicious software I’m thinking of in particular here is generally referred to as ‘rogue security software’, and it displays false and misleading messages regarding malware infections in order to convince affected users to perform a particular recommended action, which would normally involve ‘cleaning’ their machine in a particular way. This software...
  • A Normal Day at the Office

    (Never ending story...) We arrived a bit early at the office the other day. It was a beautiful sunny day, you know, typical weather when you have to work :D Soon after arriving, we stumbled upon what became an interesting case. It was an executable file that apparently was related to the DNS cache poisoning attack that happened a few days prior, and we had to see what was it all about. One file , right? Below we will try to present the whole picture, starting with how the DNS cache server gets...
  • My Favourite Time of the Year

    It's when a VX group folds, and it has happened again. Twice, even. The day before the "much anticipated" ;-) EOF-DoomRiderz-rRlf group zine was released, rRlf announced that they were disbanding. This is something that we could have guessed anyway, based on the comment in Latin that was posted on their website a few days prior. While I didn't get a good translation for it, I understood it to mean something along the lines of "I must think about things". These days, VX groups are little more than...
  • MMPC Encyclopedia Top 5: Mostly Vundo

    The following is a list of our top five most commonly viewed encyclopedia pages last month: TrojanSpy:Win32/Bancos.gen!A Win32/Vundo Trojan:Win32/Vundo.gen!H Trojan:Win32/Vundo.gen!P Win32/Alcan It looks like our readers are really interested in Win32/Vundo , also known as Win32/Virtumonde . Of the 5 most popular malware encyclopedia entries last month, 3 of them are Win32/Vundo related (2, 3, and 4). We have lots of details about it in our encyclopedia, but perhaps we should...
  • MMPC @ Gamefest 2008

    I had the privilege of presenting a couple of weeks ago at Gamefest 2008 —a Microsoft sponsored technical conference targeted at the games industry. I spoke about game password stealers- what they do, which games are targeted by which families and the behaviors of those families, prevalence, number of variants and so on. This is a completely different type of audience than the security folks to whom I usually present and it was a very refreshing change of pace. These were sharp, savvy technologists...
  • Current Events Spark Round of Malware

    Attackers are busy monitoring current events so they can distribute malware that appears relevant, such as sending spam message containing links to malware with contextual references to the 2008 Olympics in Beijing, or other current events. We recently began receiving reports of a new spam run with an attached malicious password-protected .ZIP file. The message text below is a sample of the message that was sent. Note that this is an example of social engineering. The context of the message is...
  • MSRT on CAPTCHA breaking malware

    A CAPTCHA (IPA: /ˈkæptʃə/) is a type of challenge-response test used in computing to ensure that the response is not generated by a computer. The process involves one computer (a server) asking a user to complete a simple test which the computer is able to generate and grade. Because other computers are unable to solve the CAPTCHA, any user entering a correct solution is presumed to be human. -- http://en.wikipedia.org/wiki/CAPTCHA Ever since Luis von Ahn and folks from Carnegie Mellon introduced...
  • Year Old Worm Weasels its Way Aboard I.S.S.

    According to several reports across the 'net, NASA revealed in a log report that a worm was discovered on some laptops aboard the International Space Station. The worm, known by some as Gammima which we call Worm:Win32/Taterf.gen!C , is at least a year old. NASA is known to perform experiments involving the order " Oligochaeta " whereas the Gammima worm does not thrive in the dirt. There is speculation on how exactly the computer worm arrived onto the lab laptops but as of yet, "mum's the word...
  • Malware rides the wave of 2008 Beijing Olympics

    The great anticipation that awaited the Olympics is matched by the anticipation for malware to make use of the event to infect users. The first executable malware taking advantage of this event has also arrived. The malware is disguised as a screen saver named "2008BeijingOlympics.scr". When you run the program, it actually displays some nice pictures of some of the Olympic Stadiums, so people may not notice the payload of installing a keylogger onto their computers. The trojan drops two files named...
  • Another Malware Rides the 2008 Olympics Wave

    We recently noticed a new malware threat that is spreading via email. The email contains a malicious ‘CHM’ (Microsoft Compiled HTML Help) file attachment which displays a document about free speech and media freedom during the Olympics in Chinese and English when opened. We have added detection for this threat and named it ‘ Backdoor:Win32/Xinia.B’ . You can read more about it in our encyclopedia. When the CHM file is opened, it will write a malicious file to “ c:\windows\downloaded program files...