Microsoft Malware Protection Center

Threat Research & Response Blog

October, 2010

  • Have you checked the Java?

    Whilst working on our normal data pull and analysis for the Microsoft Security Intelligence Report ( v9 - released last week ), I embarked on a mini discovery mission on the exploit data that MMPC detects with our antimalware technology. Although the main focus of antimalware software is on traditional malware families, antimalware technologies can do a good job when it comes to file exploits that require a lot of parsing, such as exploit-laden movies, documents, and ... Java. What I discovered...
  • MSRT on Zbot, the botnet in a box

    This month, the MSRT team has added detection and removal for Zbot , one of the most widely known active botnets today. Although the malware itself is quite complex and varied, the technical acumen required to use and distribute it is actually quite low. Toolkits to create the malware are easily attainable and quite simple to use as the following screenshot shows. Underground forums are teeming with questions ranging from the very basics about configuring the malware to people boasting about...
  • CCM - Our Threat Indices in the Security Intelligence Report

    At the recent Virus Bulletin 2010 Conference in Vancouver, BC, I made a presentation highlighting infection data collected from the Malicious Software Removal Tool and data collected from Microsoft Security Essentials in its first year. The presentation (coincidentally on the Security Essentials one year anniversary ), entitled " Observations and lessons learned from comparing point-in-time cleaning against real-time protection ", showed the MSRT as a baseline removal tool to keep the ecosystem clean...
  • An Early Look at the Impact of MSRT on Zbot

    As those who follow our blog already know, we added Win32/Zbot to MSRT this month.  This is a complex threat with techniques employed to make removal by AV challenging and which necessitated advances in the technology we use.  The threat is aimed at theft of credentials (often financial) and, according to the FBI , part of a major theft ring which, as the result of cooperation between law enforcement in several countries, led to numerous arrests this month. Since the release of MSRT on...
  • Announcing Microsoft Security Intelligence Report version 9

    Today, the 9th edition of the Microsoft Security Intelligence Report was released as Adrienne Hall, General Manager of Microsoft Trustworthy Computing Communications, gave her keynote at RSA Europe.   This time around, we've done a few things differently.  First off - we've dedicated this particular volume to the study of botnets and the role that they play in the malware world.  You'll find a historical anthology of how botnets came to be along with modern-day examples, including...
  • The Botnet Superhighway

    The latest Microsoft Security Intelligence Report (SIR) dedicates a whole section to botnets and the role they play in today's world of malware, and for good reason - the pathways of the malware world are quickly merging into a botnet superhighway, a new conduit used for many nefarious purposes. If you compare the worldwide infection rate of computers cleaned per thousand ( CCM ) as detailed in the botnet section of SIR v9 with the general malware CCM, an interesting picture emerges.  By Q2...
  • Bredolab Takedown, Another Win for Collaboration

    Earlier this week (October 25), authorities in the Netherlands took action against one of the Win32/Bredolab botnets and person(s) who may be responsible for this threat as part of an investigation codenamed TOLLING- part of a larger project named TAURUS. This follows on the heels of similar efforts against Win32/Zbot by the Federal Bureau of Investigation’s Operation “Trident Breach” in partnership with international law enforcement agencies, operations in Spain and Slovenia against the Win32/Rimecud...
  • Standards and Policies on Packer Use

    For those people who missed my presentation at Virus Bulletin this year, I co-presented on the topic of "proper" packer usage. The idea of a “proper” way to use packers is two-fold: (a) It reduces the prevalence of legitimate packers being used to pack malware. (b) It makes it easier to identify packers which exist only to pack malware. This is an industry-wide initiative, with backing from over a dozen security companies, including McAfee, Symantec, IBM, and Trend Micro...
  • Nobel Prize site hacked, delivers malware

    Yesterday (Oct 26, 2010), MMPC researchers learned that the Nobel Peace Prize website " nobelprize.org " was hacked and users browsing the site using Firefox versions 3.5 and 3.6 may have received malware. The malware is delivered by way of a malicious JavaScript that exploits a vulnerability in Firefox. Mozilla is aware of the vulnerability and note that an update of the browser is pending. Microsoft provides protection against the malicious JavaScript as " Exploit:JS/Belmoo "...
  • i can haz flaming recon pls?

    If you play Halo, you probably know that the Recon Armor is a rare armor variant that is only available to the makers of Halo, Bungie, and players who have unlocked all Vidmaster challenges in previous versions of the game. With the recent release of Halo: Reach, a lot of users are looking for free means to get hold of this armor for their game play. Apparently, malware writers also took notice of this opportunity to distribute malware masking as code generators for the flaming recon helmet and Halo...