Microsoft Malware Protection Center

Threat Research & Response Blog

March, 2010

  • Waledac, Botnets and RSA

    By now you have likely seen multiple reports of Operation b49 which has targeted the Win32/Waledac botnet’s command and control infrastructure. As I mentioned in my last blog there is still more work that needs to be done in terms of cleaning up infected systems. Of course, Win32/Waledac is not the only botnet; even though we have taken positive steps in an attempt to neutralize this family of malicious software, there is still a need for additional action and cross-industry cooperation to combat...
  • In focus: Mariposa botnet

    In January this year, the MMPC added Win32/Rimecud to MSRT's removal capability. Win32/Rimecud to MSRT's removal capability. As previously discussed by Marian , this worm propagates mainly via removable devices, IM, and P2P channels; and utilizes backdoor functionality to communicate with a C&C server. It differs from other bots in that it does not use a standard IRC protocol for its command and control functions. Between January and February this year the MSRT alone reported over 1 million distinct...
  • CVE-2010-0188: Patched Adobe Reader Vulnerability is Actively Exploited in the Wild

    While recently analyzing a malicious PDF file, I noticed a vulnerability exploited by the sample which I've never encountered before. After a bit of research I came to the conclusion that this specific sample exploited CVE-2010-0188 . This is a fresh vulnerability, information about which was just published this February. It is described as possibly leading to arbitrary code execution, which is exactly what’s happening. When the PDF file is loaded, Adobe Reader opens and then closes, while...
  • MSRT: Helping us de-Helpud you

    Greetings purveyors of the Internet! Welcome to another thrilling installment of "MSRT: Miami", aka "What's new in MSRT this month?"! It's Win32/Helpud . What, anti-climactic? Perhaps. However that doesn't take away from the importance of this addition to MSRT; we're extending our coverage of online game password stealers! Now, Win32/Helpud is not new to the malware scene. It's been around for a couple of years now and consistently maintains a presence on our radars. You may recall Win32...
  • Win32/FakeRean is 33 rogues in 1

    Back in August 2009 we added a rogue called Win32/FakeRean to the list of families removed by MSRT. At the time, I wrote about how it used several different names, like Home Antivirus 2010 and PC Antispyware 2010, which all looked pretty much the same. This is a trick used by most modern rogues; I covered it in some detail in my presentation at Virus Bulletin conference last September. Alongside the use of different names, we've seen some rogues introduce different versions for different operating...
  • Got Zbot?

    PWS:Win32/Zbot a.k.a Zeus/WSNPoem is a password-stealing trojan that monitors for visits to certain Web sites. It allows limited backdoor access and control and may terminate certain security-related processes. In our collection, although we have some Win32/Zbot malware toolkit/builder samples that date back to the 1st quarter of 2008, we already received and created detections for a number of Win32/Zbot samples from earlier - as early as the last quarter of 2006 (an early SHA1 is 006227158415078de14b4fe889dfe8dedfcf4e0b...
  • What we know (and learned) from the Waledac takedown

    Recently, following an investigation to which various members of the MMPC contributed, Microsoft’s Digital Crimes Unit initiated a takedown of the Waledac botnet in an action known as Operation b49 , an ongoing operation to disrupt the botnet for the long term. The takedown also marked a new phase of exploration in combating botnets, which we call Project MARS (short for Microsoft Active Response for Security). While it is still too early to know the entire scope of this particular takedown's impact...
  • Bots, bots, and again bots

    Today we are going to take a closer look at bots and botnets. On the black market, selling bots and botnets is quite profitable, which makes creating them a popular activity for criminals. It helps that bot sources and creation kits are available on the Internet, allowing even script kiddies to create their own botnets. Another reason bots get created is that some people who get bored in their daily lives tend to do things that in their opinion might earn them respect or admiration in front of their...
  • Active Exploitation of CVE-2010-0806

    On March 9, Microsoft started investigating reports of targeted attacks using a previously undisclosed vulnerability (CVE-2010-0806) affecting Internet Explorer 6 and 7 (Internet Explorer 8, Windows 7, and Windows Server 2008 R2 are not susceptible). As a member of the Microsoft Active Protections Program (MAPP), the MMPC and other members received information about the vulnerability and immediately deployed protection for our customers. We’ve been tracking exploit attempts against this vulnerability...