Microsoft Malware Protection Center

Threat Research & Response Blog

February, 2010

  • If it calls itself “Security Essentials 2010”, then it’s possibly fake, innit?

    Well, it had to happen eventually. One of the oldest tricks used by rogue antivirus products is to use a similar name as, or have a similar look and feel to, legitimate security software. It’s been commonplace for them to mimic the Windows Security Center. So it was inevitable that the day would arrive when a rogue would masquerade as something similar to Microsoft Security Essentials. If anything, it surprises me a little that it’s taken so long. This one calls itself “Security Essentials 2010...
  • Restart issues on an Alureon infected machine after MS10-015 is applied

    The Win32/Alureon family of malware is a complex set of components which perform various functions. These include the modification of DNS settings, search hijacking, and click fraud. Alureon has existed for several years and has undergone a number of evolutionary changes. The ability to “infect” the miniport driver associated with the hard disk of the operating system is a recent notable change. This functionality first appeared around August 2009. For the most common system configuration (for machines...
  • Dismantling Waledac

    Today, you may have read in the Wall Street Journal about an operation Microsoft has been conducting against the Win32/Waledac botnet. If you haven’t already seen the article, you can find additional information in the Microsoft on the Issues blog. In summary, the Microsoft Digital Crimes Unit with support from the Microsoft Malware Protection Center has taken legal and technical steps in an attempt to disable the command and control infrastructure of Waledac in order to prevent the criminals responsible...
  • MSRT February - When Push Comes to Shove

    This month we add another bot family to MSRT – Win32/Pushbot . Pushbot is, in many ways, an “old school” bot. It is controlled through IRC, it can distribute itself through several different channels and its source code is more or less open (for those who mix in certain circles). Like Win32/Rbot , Pushbot isn’t one piece of malware that is updated and maintained by one group of malware writers, but rather a collection of malicious programs created by different people based on a common base of source...
  • Cupid Struck

    It's just a few more days before Valentine's Day. As most people now are already preparing their celebration, malware authors are also getting ready to use this popular event to target users with their malicious intent. Here's one example of a malicious file (2077ed17f0ad92dafb8fb7601570e06580e4b7f1) we've seen recently: Upon execution, it drops the following picture file greeting: Note: It seems that the malware writers are using valid images from legitimate Web sites. Cute isn’t it? However...
  • Are you from an Internet cafe?

    In a previous blog , I mentioned a family of malware named Dogrobot, which attempts to penetrate the protection offered by particular hardware that is widely used in Internet cafés in China. Interestingly, we recently discovered a trojan, TrojanDownloader:Win32/Chekafe.A , that checks whether an affected machine is in an Internet café or not. If the affected machine is not from an Internet café , it sends the MAC address of the affected machine to a remote server. Leading me to ask two questions...
  • News "parasites" on the prowl

    With the Winter Olympics in the news for the past couple of weeks, malware profiteers, as usual, are hard at work churning their "little greased wheels", looking to capitalize on any opportunity to get the slightest hint of public attention. Their strategy is simple: populate a malicious Web page with keywords that are likely to come up in news-related searches. The sooner such a page can be put up, the better chance it has of getting a high search engine ranking. Even though normally there aren...