Microsoft Malware Protection Center

Threat Research & Response Blog

October, 2008

  • The Cost of Free $oftware

    Today we stumbled upon an interesting file. The file in question, " wrar380CorporateEdition.exe " (md5: f054f5a1bcb79098916c80b28e4f2bec), appears to be the install kit for the WinRar archiver. Upon closer inspection, it is actually a self-extract cab installer containing 2 files: "wrar380.Regged.exe" "Setup_ver1.1808.0.exe" When the installer is run, both files execute. While the file "wrar380.Regged.exe" is actually WinRAR, the other file is actually... malware. A closer look at "Setup_ver1...
  • Email Scam Targets Microsoft Customers

    Email scams are a common way to spread malware and/or steal personal information. Some great guidelines to help you protect yourself from such scams are outlined here: http://www.microsoft.com/protect/computer/viruses/email.mspx We have recently found out about the latest in an ongoing string of email scams that target Microsoft customers. This particular scam contains the Backdoor:Win32/Haxdoor trojan as an attachment. We have seen a few emails targeting Microsoft customers that look like the...
  • What’s Travelling on the Wire (part 2)

    Quite a while has passed since we started logging data about incoming attacks on an Internet-connected system and now we have gathered enough information to show the risks of exposing an unsecured computer on the Web. Let’s start with some data about the attacks, first where they originate from and later, what they are trying to exploit: As you can see there are some prevalent countries, but basically most of the attacks originate from either Europe or Asia. What are the attacks attempting...
  • Malware Writer Wants an Eye-to-Eye With Us

    Zlob has been around for quite some time now and it is still evolving rapidly. If we thought of Zlob as a car, it has gone through the equivalent of several overhaulings... Zlob constantly changes its decryption, obfuscation, and structure. As is our everyday routine, we were looking at several new variants of Zlob this morning and found this interesting message inside one of them: "I want to see your eyes the man from Windows Defender's team" It's the first time we've seen the Zlob writers include...
  • Get Protected, Now!

    Microsoft released a security update today that fixes a vulnerability that affects all supported versions of Windows. On some versions of Windows, an unauthenticated attacker can remotely execute code on a vulnerable computer. Basically if file sharing is enabled and the security update is not installed yet, the computer is vulnerable. File sharing is enabled in several scenarios though it is disabled by default in XP SP2 and newer operating systems. See the " Security Vulnerability Research &...
  • Uprooting Win32/Rustock

    This month we added a family of rootkit-enabled trojans to MSRT - Win32/Rustock Win32/Rustock is a multi-component family of rootkit-enabled backdoor trojans, which were historically developed to aid in the distribution of 'spam' e-mail. First discovered sometime in early 2006, Rustock has evolved to become a prevalent and pervasive threat. Recently we've seen it associated with the incidence of rogue security programs. This might indicate that the Rustock family of trojans has gained some traction...
  • SWF for Malware Deployment

    More and more each day I see SWF files being sent to us as a potential part of a malware deployment chain. Most of the times it is not the case, but because of these special cases where the submitter was actually right, I decided to write this entry. I’ve been spending part of today tracking down some SWF files that are part of “the dark side”. What I found out is that, excluding flash exploits, SWFs are mainly used as redirectors: Most common case, directly linking to the target webpage...
  • SQL Injection - New Approach for Win32/FakeXPA?

    (often known as "Antivirus 2009"). One night while browsing, a message box popped up asking me to do a "security scan". As a researcher, I wouldn't let this pass me by. After going through my opened tabs I narrowed down the culprit to a forum I had open at the time. "View Source" showed a 1x1 pixel IFRAME pointing to hxxp://***.info/users/***/1.php The position of this IFRAME is a little strange. It appears several times on the page, and each time right after the title of the forum. It appeared...
  • Win32/Rustock Hide and Seek – MSRT Telemetry

    In his 10/18 blog post , Oleg provided great insights about the distribution, installation and payload of Win32/Rustock which was added to MSRT 10/14 release. As of 10/29 MSRT has removed this rootkit from 99,418 distinct machines. Breakdown of these removals by regions is shown as below. Country/Region distinct machined cleaned United States 41,305 France 6,295 Spain 5,987 Italy 5,033 United Kingdom ...
  • Rogue Antivirus - A Closer Look at Win32/Antivirusxp

    Fake (or rogue) security applications have been a cause of confusion and problems for users for some years. These applications generally display fake warnings and malware detections in order to entice users to buy the application and thus ‘disinfect’ their system. Over time, the mechanisms used to avoid detection and distribute these applications have become more complex - code obfuscation is now common, and botnets are utilized for widespread distribution. Win32/Antivirusxp is one of these rogues...