Just over one year ago, Microsoft- with industry and academic partners- utilized a novel combination of legal and technical actions to take control of the Win32/Waledac botnet as the first action in Project MARS (Microsoft Active Response for Security).   Today, a similar action has had its legal seal opened allowing us to talk more openly about recent activities against the Win32/Rustock botnet. Comparatively, Waledac was a much simpler- and smaller- botnet than Rustock.   It is, however...

On March 14, Adobe released a security advisory (APSA11-01) warning of 0-day attacks affecting Adobe Flash Player (versions earlier than and including 10.2.152.33). These attacks were hidden inside Microsoft Excel documents that were used as a vehicle to deliver the exploit. The Adobe Flash file embedded inside the Excel file is another carrier for the exploit. It loads shellcode inside memory, performs heap-spraying, and loads a Flash byte stream from memory to exploit the 0-day vulnerability...

We are tracking the trails of this fake " System Defragmenter " software since its first appearance last October 2010, and have warned our customers in our earlier post about this trojan software. In this follow-up post, we give an update including a new variant worth noting for our customers. The fake system defragmenter family ( FakeSysdef ) is similar to rogue software in many ways, such as presenting forced installations, a polished user interface, false and annoying errors and a request...

Recently, we have been seeing a lot of the Winwebsec rogue branded as " System Tool ". Winwebsec authors have been using this brand since last year, but lately these have been seen using more aggressive campaigns. Winwebsec is installed in a variety of ways. One of the ways is by imitating popular applications. For example, it may use the file name adobe_update_2011.exe and then the UltraEdit (editor tool) icon. At this point, users who are familiar with Adobe should know that this is not the...

Malware writers never miss the chance to take advantage of big world events, no matter how tragic. The recent Japanese nuclear incident, caused by the devastating earthquakes, is their target this time. The Microsoft Malware Protection Center has been tracking a new backdoor (detected as Backdoor:Win32/Sajdela.A , SHA1 0c3526c7e1d6b8a3d2f5c21986c03f1dc0d88480) that is distributed by utilizing Exploit:Win32/CVE-2010-3333 - code that exploits a previously-addressed RTF parser stack overflow vulnerability...

A new spam campaign using UPS (United Parcel Service) as a social-engineering draw was initiated this week. The spammed message contains an attachment, detected as TrojanDownloader:Win32/Chepvil.I . The spam campaign actually started around March 16th 2011. The threat was originally detected as Backdoor:Win32/Hostil.gen!A (was Backdoor:Win32/Hostil.F). More specific signatures (TrojanDownloader:Win32/Chepvil.I and TrojanDownloader:Win32/Chepvil.J) were added on March 22nd 2011. Win32/Chepvil is...

In a blog published in November titled “ Explore the CVE-2010-3654 matryoshka “, we discussed a 0-day Shockwave (SWF) exploit that uses JavaScript to do malicious actions. In this blog, we discuss another advanced way SWF malware is combined with JavaScript only this time, without using a 0-day exploit. In January we noticed a very large spike in telemetry for a threat named Trojan:SWF/Jaswi.A . Going back to December 2010, we had picked up a few spikes for this issue, one around Christmas, a second...

Internet Explorer 9 includes a great new application reputation feature driven by SmartScreen. As described in this Building Reputation blog post by Ryan Colvin, SmartScreen uses file hashes and Authenticode signatures to identify publishers and applications. Microsoft Security Essentials has included reputation features since its initial release as well, although the reputation features aren't visible to the user. Like SmartScreen, Microsoft Security Essentials (and its siblings Forefront...

On March 8th, we announced the release of our latest Malicious Software Removal Tool (MSRT), version that included detection and cleaning capabilities for a backdoor enabled worm we are calling Win32/Renocide . If you are not familiar with this threat, we recommend reading our encyclopedia entry here . According to our telemetry, this new addition was among the top 5 detected threats (in the first week of release), both when when classified based on number of detected files and number of infected...

This month we are releasing another instalment of our Malicious Software Removal Tool (MSRT) , which now includes Win32/Renocide detection and cleaning capabilities. Win32/Renocide is a family of worms that spread via local, removable, and network drives and also by means of file sharing applications. It infects the network by scanning the local network using the subnet mask 255.255.0.0 and looking for writeable shares where it can copy itself and an autorun.inf file. It also uses the NETBIOS...