Microsoft Malware Protection Center

Threat Research & Response Blog

November, 2010

  • MSRT Tackles Fake Microsoft Security Essentials

    We've seen a few rogue security programs use elements of legitimate security software in order to try to make themselves appear more authentic. It was inevitable that Microsoft Security Essentials would be the target of this kind mimicry. While some rogues have simply copied Security Essentials' name , others have gone further by imitating elements of the Security Essentials user interface. By far the most prevalent of these is Win32/FakePAV , which is this month's addition to the MSRT family list...
  • Explore the CVE-2010-3654 matryoshka

    We recently discovered a sample that is trying to exploit the 0-day Adobe vulnerability tracked by CVE-2010-3654 . This sample is being distributed as a PDF file, and it has a lot of complicated steps before the final payload is executed. Analyzing this sample is like working your way through a matryoshka doll.   The analysis of this malware can be broken down into four steps: The PDF The shellcode …More shellcode, and The Portable Executable file 1 . The PDF The PDF file contains four malicious...
  • It’s NOT Koobface! New multi-platform infector

    Facebook continues being a popular target for malware authors as we discover yet another family that uses this popular social network to propagate. The main component, which we detect as Trojan:Java/Boonana , is written in Java which gives it cross platform capability infecting Windows, Mac and Linux users. Trojan:Java/Boonana is sent via a link to a video to Facebook users. By clicking on the link, the user will be prompted to run the application “JPhotoAlbum”, which is a Java class inside a JAR...
  • New Year, Same Old Rogues

    New rogue security programs seem to be popping up all the time, but when we dig a little deeper what we see is mostly just new variants of the same old rogues. Five months ago, we wrote about a rogue we call Win32/Fakeinit that used the name "Security Essentials 2010". We expected to see the "2011" version appear at some point, and here it is: Apart from the name, not much has changed. In fact, it still uses the same file name it used to, "se2010.exe". It seems even rogue creators have trouble...
  • A Happy Thanksgiving from Rebhip?

    A day before Thanksgiving, as I was doing my work, I came across a sample (SHA1:b9b52db22d35c50081054d4ece39f520ae3ef9fe) from a customer submission, with the usual " ecard.exe " filename. It has an image icon but with an .EXE extension; a clear sign of malicious intent. As I further investigated the sample, it displayed the following greeting:   Note: the message displayed is from a valid electronic greetings website.   Microsoft Security Essentials already detects the malware...