Microsoft Malware Protection Center

Threat Research & Response Blog

September, 2008

  • Life, the Universe, and Everything

    In July, I wrote about two of the amazing new instructions in the SSE 4.2 set: CRC32 and PCMPxSTRx. CRC32 is special because of its immediate application to obfuscated import resolution, a common technique among viruses and packers. I said "the VX guys will probably be able to take advantage of it before AV guys can". I was thinking slightly longer term than four weeks, but that's all it took. In August, the first virus appeared that makes use of the CRC32 instruction. They would have found it sooner...
  • Helpful Suggestions to Protect You From Game Password Stealers

    Greetings, As you probably figured out from Matt McCormack’s post , and Jeff Williams' post ; there are a lot of Game PWS (password stealers) out there. I decided to do a post on how you might prevent these PWS from infecting your computer. 1. Run up-to-date antivirus software. I know us gamers hate the performance penalty AV software can cause, however; we also hate the idea of the item we slaved for days disappearing on us as well. I have seen suggestions of just disabling AV while running...
  • Cleaning Over 10 Million IRC Bots

    No one could have anticipated all the ways that Internet Relay Chat (IRC) would eventually be used when it was 'created' in Finland during the late 1980s. People really started picking up on IRC in the early 1990s, and as with virtually all popular technologies, it started to get abused. IRC enables a single user to communicate with many other users in the same "chat room" (known as a channel). Miscreants quickly realized that this architecture is very well suited for controlling multiple compromised...
  • Win32/Slenfbot - Just Another IRC bot?

    This month we added a new family of malicious IRC bots to MSRT - Win32/Slenfbot . IRC bots were all the rage a couple of years ago but have dropped off a little in recent times. In general, malware has both diversified and become more specialised, with many bad guys using custom communications protocols for backdoor control. Of course, what constitutes a drop is all relative . IRC is clearly still a popular backdoor control method. So what's interesting about Slenfbot? Isn't it just another IRC bot...
  • Another Reason to Avoid Piracy

    Earlier this month, our colleagues at the Online Services Security & Compliance Incident Management team were alerted to content on a Spaces page that was allegedly violating copyrights. The reporting party (a well-known band) was particularly concerned as this content was turning up on numerous web portals, having been leaked in Europe only 24 hours prior. Upon investigating the Spaces page, rather than display copyrighted material, an embedded "video" prompted investigators to download a...
  • Infected Hardware Myth or Reality?

    Recently I stumbled across an interesting firmware – hardware contest hosted by the Polytechnic Institute of NYU. I’ve seen similar competitions run before - some promoting team work, some perhaps generating new ideas for hardware or firmware designs, some just wasting the participant’s efforts altogether. But not this time, this time it's different. I’ll come to the rules of the actual contest a bit later. But first it is worth noting that history provides a number of examples of otherwise innocent...
  • MMPC Encyclopedia Top 5: More Bancos

    The following is a list of our top five most commonly viewed encyclopedia pages last month: TrojanSpy:Win32/Bancos.gen!A Program:Win32/Antivirus2008 Trojan:Win32/Vundo.gen!H Win32/Vundo Win32/Virtumonde The trends appear quite similar to the month prior: the most popular encyclopedia entry is still Bancos, and we still have several Vundo pages in the list. We covered Vundo last month , so I'll go into a little more detail about the Bancos trojan. Bancos is a password stealing...
  • Canada, Here We Come!

    It’s late September. For any self-respecting anti-virus researcher this is the time of year when one thinks about the Virus Bulletin Conference . Am I going? Who else is going? Should we organize some extra meetings? When? Where? Is my presentation ready? What’s the program? What will be the entertainment during the gala dinner? The closer to the date the more excitement is building up in the air. This year, this most important anti-malware conference takes place on 1-3 October, in Ottawa, Canada...