Microsoft Malware Protection Center

Threat Research & Response Blog

June, 2009

  • Online Game Password Stealers Riding with 0-day DirectShow Exploits

    On May 28, our colleagues at The Microsoft Security Response Center released advisory 971778 which elaborated on a new vulnerability in Microsoft DirectShow effecting Windows 2000, Windows XP and Windows Server 2003. You can obtain more details on how to protect your environment from this vulnerability from the Microsoft SRD blog . We have been closely monitoring the malware landscape for threats related to leveraging exploits against this new vulnerability. We subsequently developed and released...
  • Radio-Frequency Identification devices, is infection a reality? (Part 2 - Hardware)

    An RFID system is based around a reader and a tag. A tag stores information, whereas an RFID reader retrieves or modifies information stored on the tag. To transmit this information through the air, both devices use high frequency electric current oscillations (the frequency of such current oscillations is also known as radio frequency or RF) which when applied to a piece of wire (referred to as an antenna) have a tendency to extend themselves well beyond the actual antenna wire boundary in the form...
  • Internet Antivirus Pro is "unable" (to detect any real malware)

    This month, MSRT takes on another prevalent rogue family. This one is called Win32/InternetAntivirus and, although it has dabbled with the names General Antivirus and Personal Antivirus* , it is usually easy to recognise by the moniker Internet Antivirus Pro . Win32/InternetAntivirus follows the familiar path of fake online scanner leading to the rogue downloader, which in turn installs the rogue itself. The online scanner looks like this: This rogue downloader that these pages want you to run also...
  • Bugging the Debuggers

    No-one who knows what they're talking about would say that writing a debugger is easy. It's certainly made harder when the platform offers so many opportunities for things to go wrong. Here are two examples. CreateToolhelp32Snapshot This function was introduced to the Windows NT-line in Windows 2000, though it existed as far back as Windows 95 in a separate DLL. On Windows NT-based systems, it calls into the ntdll RtlQueryProcessDebugInformation() function, which performs the majority of the...
  • Microsoft Security Essentials Beta Announced

    Microsoft Security Essentials is a new, no-cost, anti-malware solution for genuine Windows PC consumers that provides real-time protection against viruses, spyware and other malicious threats. It is a lightweight, effective and modern anti-malware which runs on 32 bit and 64 bit Windows 7, Windows Vista and Windows XP SP2 and higher, and on modern consumer form-factors such as netbooks. A beta version of Microsoft Security Essentials v1.0 is available today for up to 75,000 consumers in a limited...
  • Radio-Frequency Identification devices, is infection a reality? (Part 3 - Security)

    So far, it seems that a number of known attacks on RFID devices can be generally sorted into three broad categories, that is; cloning an RFID tag, unathorised modification of an RFID tag, using an RFID tag to mount an attack on an RFID back end application, attempting a blunt denial of service. Continuing the biological virus analogy, an RFID tag can act as a carrier affected by a dormant infection, and the RFID protocol and radio waves can act as a transmission medium (say, like...
  • PDF E-ducation

    Recently, Marian and Andrei presented a paper at the CARO Workshop about PDF vulnerabilities and exploits related to them. As we presented in our latest Security Intelligence Report , there was an increase in the use of these exploits, and the trend keeps going on. Since the beginning of the year, we have received over five thousand different samples taking advantage of various PDF vulnerabilities. Even though updates for these vulnerabilities are available, some for more than a year, people remain...