Microsoft Malware Protection Center

Threat Research & Response Blog

December, 2010

  • Unhappy New Year

    Malware authors don’t miss any major event in their attempts to spread malware. Evidently, they see the upcoming New Year as yet another opportunity to get their creations into unsuspecting users' computers. We have already seen signs of malware misusing this happy event. In most cases, these are spammed emails that look like legitimate “Happy New Year” messages or “New Year”-themed greetings. Here is a recent example: As you can see, the video can’t be...
  • Targeted attacks against recently addressed Microsoft Office vulnerability (CVE-2010-3333/MS10-087)

    Last November, Microsoft released security bulletin MS10-087 , which addresses a number of critical vulnerabilities in how Microsoft Office parses various office file formats. One of them is CVE-2010-3333 , "RTF Stack Buffer Overflow Vulnerability," which could lead to remote code execution via specially crafted RTF data. A few days before Christmas, we received a new sample (sha1: cc47a73118c51b0d32fd88d48863afb1af7b2578) that reliably exploits this vulnerability and is able to execute malicious...
  • Phishing encounter while on vacation

    It was my first night in Beijing for a long-overdue vacation. I purchased a SIM card from the airport and sent SMS greetings to friends and family and other families in town. SMS is hugely popular and a main communication channel in China. Guess what? The first SMS I received was from a strange number: Image 1 - SMS spam with hyperlink   The message was a “congratulations” from a very popular Chinese television show on CCTV, named “ Special 6+1 ” that my cell number was selected and that I had...
  • MSRT December: If it quacks like a bot, it's probably Qakbot.

    This month, the MSRT team has added the Win32/Qakbot family of backdoors to its detections.  Qakbot is composed of several components, including a keylogger, a password stealer and a user-mode rootkit.  Qakbot is commonly distributed as the payload of what appear to be attacks, mainly targeted at enterprise installations.   Qakbot starts as a highly obfuscated JavaScript that downloads and runs an installer and user-mode rootkit.  At this point, Qakbot is hidden from the user...
  • CVE-2010-3962 – The weekend warrior

    The Microsoft Malware Protection Center has been tracking a recent 0-day vulnerability for Microsoft Internet Explorer very closely after it was found in the wild in early November, apparently being used in targeted attack attempts.  As public exploit code became available and attackers began integrating the code into their toolkits, we continued to closely monitor the attack attempt patterns through the coverage ( Exploit:Win32/CVE-2010-3962 ) provided to customers. The attack patterns for...
  • Looks familiar? Yes! From Alureon!

    It's a normal day to us. We receive a new Bamital virus sample report from a customer, and we provide an analysis. Suddenly, something interesting bursts into my eyes: What's your thought on this code fragment? At the first glance, this piece of code looks like a non-malicious call to manipulate the Windows Printer SubSystem. But if you've analyzed Alureon before, it may look familiar to you. Yes, Alureon also takes advantage of the Windows Print Subsystem to install its payload. Now let...
  • FakeSysdef: We can defragment that for you wholesale! / Diary of a scamware

    Initially it was "System Defragmenter", then "Scan Disk" and now it's called "Check Disk". While the name will most certainly change again, the main goal of Trojan:Win32/FakeSysdef will surely remain the same: to trick you into buying a piece of software that does nothing except scare you with fake warnings, critical "errors" and other "problems". As the name suggests, this malware imitates a hard disk defragmenter. It will pretend to scan your computer...