Microsoft Malware Protection Center

Threat Research & Response Blog

July, 2010

  • The Stuxnet Sting

    For the past week or so, we've been closely tracking a new family of threats called Stuxnet (a name derived from some of the filename/strings in the malware - mrxcls.sys, mrxnet.sys). In the past few days, it has become a popular topic of discussion amongst security researchers and in the media. First and foremost, we have recently released one additional signature for this threat, and urge our readers to be sure that you've got the latest anti-malware definition updates installed. Prevalence...
  • Stuxnet, malicious .LNKs, ...and then there was Sality

    Today, Microsoft announced plans to release of an out-of-band update to address CVE-2010-2568 (described in Microsoft Knowledge Base Article (2286198) ).  As mentioned earlier this month, the Microsoft Malware Protection Center (MMPC), along with other Microsoft Active Protection Program partners, have been keeping a close watch on the use of .LNK files exploiting this vulnerability. As with many new attack techniques, copycat attackers can act quickly to integrate new techniques.  Although...
  • Update on the Windows Help and Support Center Vulnerability (CVE-2010-1885)

    Just a quick post here to provide an update on the attack attempts related to the Help and Support Center vulnerability and to stress the importance of applying the critical update made available today, MS10-042 , which fixes the issue for the two vulnerable operating systems, Windows XP and Windows 2003. A few weeks ago, MMPC reported seeing automated attacks that were identified by the signatures we had deployed in our protection products. These attack attempts have continued to expand and some...
  • Protection for New Malware Families Using .LNK Vulnerability

    We’ve added detection for two new malware families using the vulnerability described in SA2286198 . The first, Win32/Vobfus, is actually a family of obfuscated worms that has been around since 2009. According to our fellow researcher Marian Radu, who named the family, the name was derived from the fact that the worm is coded in Visual Basic (VB) and is highly obfuscated: V (isual Basic) + obfus cated = Vobfus We need to emphasize, however, that the first Vobfus samples that we’ve...
  • How the bad guys use Search Engine Optimization (SEO)

    Often you read about how, during major news events, the bad guys have commandeered the search engines so if you go looking for more information about the news event, you end up at a page that’s serving you some malware nowadays -- usually some kind of fake antivirus program.  But how did the bad guys fake out the search engines to get their sites so high in search to get people to click on them?  Let me explain, using a spamming shoe seller as an example of the technique. First, I have...
  • Keeping Kerrigan from Infection

    "Adun Toridas!" Starcraft fans would recognize that as a famous line from the first Starcraft version, which was released in 1998. Starcraft is a real-time strategy game that became a massive hit worldwide. The release date for its sequel, Starcraft II: Wings of Liberty, is today, the 27th of July. Players can install the game but can only activate their licenses from this day onwards. Surely most gamers out there (including us) are eager to get their hands on this new title, especially if you were...
  • Bubnix Uses Interesting Obfuscation Scheme

    This month, we added the Bubnix family to the latest Malicious Software Removal Tool (MSRT) release. WinNT/Bubnix is a complicated spam bot which arrives on an affected computer by way of a downloader, TrojanDownloader:Win32/Bubnix.A . TrojanDownloader:Win32/Bubnix.A is itself often downloaded by variants of Win32/Bredolab and Win32/Harnig in the wild. Generally speaking, it is common for a malicious executable to be transferred in encrypted form by a downloader. In order to increase the apparent...