Microsoft Malware Protection Center

Threat Research & Response Blog

February, 2011

  • FakeXPA raises a few brows

    When rogue security software uses multiple different names for itself, it's not especially noteworthy. In the past we have seen rogues that changed their names almost every day , and even a single rogue executable that could use one of 33 different names for itself . After several months of calling themselves "Antivirus 8", recent variants of Rogue:Win32/FakeXPA have begun going by the name of " AVG Antivirus 2011 ." This is not to be confused with the legitimate antivirus product from AVG...
  • Breaking up the Romance between Malware and Autorun

    As we reported in our most recent Security Intelligence Report , worms have been gaining speed in comparison to 2009. I remember a time when the world thought the day of the worm had come and gone. Although outbreaks that we saw in the Slammer and Blaster days never became an everyday occurrence, we’ve seen another trend where malware authors are upgrading their everyday static trojans to become worms and bots and oftentimes, bots that can propagate like worms. If you examine the top...
  • CVE-2010-3971, Not Quite the Weekend Warrior

    Today, the MSRC is releasing an update to address an Internet Explorer 0-day vulnerability (CVE-2010-3971), originally posted by a researcher to Full Disclosure in early Dec. Since the public disclosure took place, we, along with other MAPP partners, have been monitoring closely for malicious exploitation to keep tabs on the threat this issue posed to our customers. In late December, just before Christmas, we started seeing the first signs that attackers were actively trying to exploit this vulnerability...
  • Another round of bots for MSRT

    This month we add another bot to the MSRT family list – Win32/Cycbot . Cycbot was discovered in August 2010 and has quickly become prevalent. It seems that Cycbot’s creators called it “Gbot”, as it used this name as an identifier in the reports it would send back to its controllers. Recent variants of the malware have stopped using this identifier, possibly in an attempt to make detection more difficult, but the functionality hasn’t changed much. All of Cycbot’s...
  • The Streets of San Francisco

    February 14 is right around the corner and that can mean only one thing- it's time for the RSA conference in San Francisco. This year, Scott Charney, Corporate Vice President of Trustworthy Computing, will present a keynote Tuesday morning at 9am on Collective Defense: Collaborating to Create a Safer Internet. Scott's talk will highlight a number of computing trends and the evolution of online threats while sharing Microsoft's vision of how we can work together to improve the safety for everyone...
  • Battling the Zbot Threat (with MSRT)

    Hello Internet! As you may recall, last October we updated MSRT to include the well-known malware Zbot (aka Zeus), one of the more prolific bots we see in the wild today. Today, we released a special-edition Security Intelligence Report, entitled “ Battling the Zbot Threat ,” that documents the background, functionality, prevalence, and geographical distribution of Zbot malware. The paper also shows how Microsoft has had a measurable effect on the Zbot ecosystem since broadening its...
  • SMS Mobile Malware Feelin’ the Love

    Thinking of sending an MMS message to a loved one? Think twice before downloading mobile applications that promise just that. With all the hoopla that this love month already has going on, obviously malware authors are joining in on the bandwagon. Instead of making someone’s day, you might have unknowingly been victimized by an SMS Trojan that poses as an MMS application. We came across a downloadable file named ‘love_mms.rar’ (c0974da6494118324b1eb2ba4ae47a96a8e3b6c1) that contains...
  • My Sweet Valentine - the CIFS Browser Protocol Heap Corruption Vulnerability

    On Valentine's Day, an anonymous researcher announced a previously undisclosed SMB (Server Message Block) vulnerability affecting the CIFS (Common Internet File System) browser service. Along with the vulnerability, the researcher also posted Proof-of-Concept (PoC) exploit code showing exactly how to exploit the vulnerability, trigger ing a blue screen in kernel mode. Considering the issue was disclosed without providing any time for remediation or a patch, we analyzed the vulnerability and...
  • Identity Theft Affects Virus Writers, Too

    Lots of people have web-based e-mail addresses, such as Hotmail, Live, or Gmail.  Some of these addresses are used as "throw away" accounts, and abandoned once they are no longer needed.  Others are simply left alone and forgotten as real life intrudes.  It seems likely that most of the corporations that offer the service also have a policy of closing accounts that have been dormant for a period of time.  Once the account is closed, someone else can easily create a new...