Microsoft Malware Protection Center

Threat Research & Response Blog

November, 2008

  • More MS08-067 Exploits

    As expected, we are seeing another wave of attacks exploiting the vulnerability detailed in security bulletin MS08-067. Early last week we blogged about MS08-067 exploits. At that time, the number of exploits in the wild was still low and they were mostly targeted attacks. However, during the weekend we started receiving customer reports for new malware that exploits this vulnerability. During the last two days that malware gained momentum and as a result we see an increased support call volume...
  • MSRT Review on Win32/FakeSecSen Rogues

    Win32/FakeSecSen was added to MSRT November release as Hamish mentioned in his MMPC blog . We’ve since observed MSRT removing FakeSecSen from 994,061 distinct machines. Breakdown of these removals by regions is shown as below. Region/Country Distinct Machines Cleaned United States 548,218 United Kingdom 74,343 France 47,581 Germany 43,347 Netherlands 28,724 Spain 23,027 Italy...
  • Malware and Signed Code

    Microsoft Authenticode® is a technology that can help ensure the source of code. It does not ensure that code is safe to run, but it can ensure that the code is associated with an entity in a trust chain. Since you should base your trust decision about code on whether you trust the source or not, Authenticode helps you with that decision by giving you more information about the source of code. You can find out more about it here: http://msdn.microsoft.com/en-us/library/ms537361(VS.85).aspx ...
  • Win32/FakeSecSen - A Nasty Piece of Work

    I hate rogues. I don’t mean the World of Warcraft character class; I’m talking about rogue security software. In case you haven’t heard the term before, this is software that tells you that your system is crawling with bad stuff (for free!) and then offers to remove it for you (that’ll cost you). Of course the stuff they report is completely bogus; they are incapable of finding any real malware. What’s more they can be very insistent, repeatedly displaying popup warnings that make it virtually impossible...
  • A Quick Update About MS08-067 Exploits

    A few weeks ago, Microsoft released an update for a vulnerability in Windows that was considered “wormable” in certain scenarios. Bulletin MS08-067 includes more information. There were limited attacks in the wild at the time of the release and we blogged about it here. We would like to give you a quick update about the attacks we've seen since then. First, it is quite obvious that people are trying to create effective exploits for this vulnerability. Almost every day, we find new variants exploiting...
  • Microsoft Security Intelligence Report Volume 5 is Now Available

    One of our goals here at the Microsoft Malware Protection Center (MMPC) is to share the valuable data, insights and expertise we have with customers on a regular basis in an effort to help customers better understand the changes occurring in the threat landscape and improve their defenses accordingly. We just released the fifth volume of our Microsoft Security Intelligence Report (SIR). The SIR shares the conclusions drawn by our research team using data gathered from hundreds of millions of computers...
  • Crush, Crumble and Chomsky!

    In February of last year, SPTH said "I'm going to sleep for a number of years", which turned out to be less than two. Interestingly, this is exactly the same phrasing that roy g biv used before he switched to writing Windows viruses. The number was five-and-a-half in roy's case, and, more, recently no-one has heard from him for months. That could be a good sign. Maybe he was so disappointed by the EOF-DR-rRLF zine that he gave it all up. I remain hopeful. Anyway, back to SPTH. SPTH has written an...