Microsoft Malware Protection Center

Threat Research & Response Blog

June, 2010

  • Attacks on the Windows Help and Support Center Vulnerability (CVE-2010-1885)

    We've been monitoring for active attacks on the Windows Help and Support Center vulnerability (CVE-2010-1885) since the advisory was released on June 10th. At first, we only saw legitimate researchers testing innocuous proof-of-concepts. Then, early on June 15th, the first real public exploits emerged. Those initial exploits were targeted and fairly limited. In the past week, however, attacks have picked up and are no longer limited to specific geographies or targets, and we would like to ensure...
  • Update on Telemetry Usage in Tests, Part 1

    Almost a year ago, I wrote a blog on promoting the use of telemetry when anti-malware testers compile their set of malware to run tests. I thought it might be time to give people an update. Basically, changing testers’ habits is like the proverbial turning of a battleship. Testers use tried and true methodology. And it’s important for the consumers of the test results to have consistent methodology to compare past results with present ones to build a pattern of progress. So, even to...
  • MSRT Targets Another Fake

    This month we add the rogue security program that we call Win32/Fakeinit to the list of malware families removed by MSRT. David wrote about Fakeinit a few months ago and it hasn't really changed since then. It's still calling itself "Internet Security 2010" and " Security Essentials 2010 ". We should expect to see "Security Essentials 2011" to show up soon. Fakeinit uses the old one-two punch of first trying to convince you that there's malware all over your system, then offering a scanner that...
  • Further Unexpected Resutls [sic]

    It's been ten years since I first noticed the word "callback" in the Thread Local Storage (TLS) section of the Portable Executable format documentation. Since then, we've seen it used and abused by virus writers, packer vendors, and general mischief-makers (and me, too, of course, as part of my research). During that time, I thought that I had discovered everything that there was to know about it. Apart from the fact that it runs before the main entrypoint, there are other things that it can do:...
  • Your PC has been stoned again!

    A recently discovered backdoor sample (detected as Backdoor:Win32/Yonsole.A ) can accept and execute a command from a remote server to modify the Master Boot Record (MBR) on the affected machine. The modification to the MBR is like the old "Stoned" virus for DOS. However, in this case, the MBR (the code is shown in Figure 1) does nothing but display a banner in the center of the screen and freeze the PC (figure 2). We detect the new MBR as Trojan:DOS/Yonsole.A . Figure 1: The MBR code. Figure...
  • Small Wave of Verst Found in First Wave

    Recently Samsung released a new cell phone, the Wave, with a microSD card infected with malware. The malware itself doesn't run on the phone, but does try to infect your computer. One could speculate that the imaging computer used to manufacture the first run of SD cards was infected and further spread the infection to customer computers. It appears that this malicious software was distributed only to a limited number of customers and was isolated to a specific geographic region east of Spain...