It's very important your computer, software and browser are running with the latest updates, but it's equally important to be discerning about where your updates are coming from. A perfect example of the latest update scam: Recently, we observed malware writers using compromised Twitter accounts to post the fake tweets about the 'latest TweetDeck update' as mentioned on the TweetDeck Support portal . The tweet contains a URL that points to the fake TweetDeck update file called 'tweetdeck-08302010...

Back in May, we posted an article with an update on Win32/Alureon . As the numbers demonstrate, we have been making a positive impact in terms of protecting customers from this family of attacks. Since releasing the Alureon rootkit detection and removal capabilities in MSRT (the Microsoft Malicious Software Removal Tool), there have been over 1,200,000 successful removals of this family from machines. Variant Removals Virus:Win32/Alureon.H 647...

Recently, my MMPC research colleague Michael Johnson blogged about an interesting social engineering technique that results in a malicious JavaScript being run on the unsuspecting recipient's computer when they follow the instructions provided in a .PNG image file. Unsurprisingly, we recently found that malware authors are using this PNG-to-BMP conversion process as a means of obfuscating their malicious code, without any user interaction. Trojan:Win32/Sirefef.M belongs to a family of malware...

This month’s Malicious Software Removal Tool (MSRT) release added new detection and cleaning for several malware threats that incorporate the use of the CVE-2010-2568 vulnerability (which was fixed by the MS10-046 security bulletin released in August). This includes the Win32/Stuxnet family and several variants of Win32/Vobfus and W32/Sality. From a global perspective, the results for these .lnk-related families were interesting. The following chart shows countries with the most saturated...

Unruy is a family of trojan downloaders and unsolicited advertisement "providers" and although you might not have heard about it, it also is an infection vector for a rather prevalent family of rogues: Trojan:Win32/Fakespypro. Recently we discovered a variant of Win32/Unruy, namely TrojanDownloader:Win32/Unruy.D (6120ac9c363c6da7cd7f8bed4edd314f0d3d8f4e), that is actively using the Java vulnerability discussed in CVE-2010-0094 . The vulnerability exploits a flaw in the deserialization of RMIConnectionImpl...

The MMPC added the following MS10-046 related threats to the MSRT detection capability in August: Win32/Stuxnet Win32/CplLnk Worm:Win32/Vobfus.gen!A Worm:Win32/Vobfus.gen!B Worm:Win32/Vobfus.gen!C Worm:Win32/Vobfus!dll Worm:Win32/Sality.AU Virus:Win32/Sality.AU TrojanDropper:Win32/Sality.AU Former blog posts have mentioned threats like Stuxnet, Vobfus, and Sality, which have incorporated the use of the CVE-2010-2568 vulnerability fixed by the MS10-046 bulletin...

The MMPC came across an interesting piece of social engineering today that embeds a malicious script, which has been observed circulating on 4chan message boards. On further investigation, it became apparent that this is the next stage in the evolution of a threat known as 4chan.js that has been around since 2008. This scenario relies on a user's trust of image file formats and an unfamiliarity of the .HTA format (by the way, HTA stands for HTML Application). The user is sent a .PNG file that looks...

"Step-over" is a common feature of debuggers. It allows us to avoid stepping into a subroutine, which is especially useful if the subroutine is thousands of lines long, or an operating sytsemsystem API, etc. It also allows the user to (for some debuggers) step out of a loop or skip a repeated string instruction. So what's the downside? That depends on the debugger. The most common attack against step-over involves self-modifying code, where the destination of the breakpoint is replaced by another...