Microsoft Malware Protection Center

Threat Research & Response Blog

March, 2011

  • Embedded JavaScript in SWF

    In a blog published in November titled “ Explore the CVE-2010-3654 matryoshka “, we discussed a 0-day Shockwave (SWF) exploit that uses JavaScript to do malicious actions. In this blog, we discuss another advanced way SWF malware is combined with JavaScript only this time, without using a 0-day exploit. In January we noticed a very large spike in telemetry for a threat named Trojan:SWF/Jaswi.A . Going back to December 2010, we had picked up a few spikes for this issue, one around Christmas, a second...
  • MSRT March'11 featuring Win32/Renocide

    This month we are releasing another instalment of our Malicious Software Removal Tool (MSRT) , which now includes Win32/Renocide detection and cleaning capabilities. Win32/Renocide is a family of worms that spread via local, removable, and network drives and also by means of file sharing applications. It infects the network by scanning the local network using the subnet mask 255.255.0.0 and looking for writeable shares where it can copy itself and an autorun.inf file. It also uses the NETBIOS...
  • Win32/Renocide, the aftermath

    On March 8th, we announced the release of our latest Malicious Software Removal Tool (MSRT), version that included detection and cleaning capabilities for a backdoor enabled worm we are calling Win32/Renocide . If you are not familiar with this threat, we recommend reading our encyclopedia entry here . According to our telemetry, this new addition was among the top 5 detected threats (in the first week of release), both when when classified based on number of detected files and number of infected...
  • A Technical Analysis on the CVE-2011-0609 Adobe Flash Player Vulnerability

    On March 14, Adobe released a security advisory (APSA11-01) warning of 0-day attacks affecting Adobe Flash Player (versions earlier than and including 10.2.152.33). These attacks were hidden inside Microsoft Excel documents that were used as a vehicle to deliver the exploit. The Adobe Flash file embedded inside the Excel file is another carrier for the exploit. It loads shellcode inside memory, performs heap-spraying, and loads a Flash byte stream from memory to exploit the 0-day vulnerability...
  • Operation b107 - Rustock Botnet Takedown

    Just over one year ago, Microsoft- with industry and academic partners- utilized a novel combination of legal and technical actions to take control of the Win32/Waledac botnet as the first action in Project MARS (Microsoft Active Response for Security).   Today, a similar action has had its legal seal opened allowing us to talk more openly about recent activities against the Win32/Rustock botnet. Comparatively, Waledac was a much simpler- and smaller- botnet than Rustock.   It is, however...
  • How to defang the Fake Defragmenter

    We are tracking the trails of this fake " System Defragmenter " software since its first appearance last October 2010, and have warned our customers in our earlier post about this trojan software. In this follow-up post, we give an update including a new variant worth noting for our customers. The fake system defragmenter family ( FakeSysdef ) is similar to rogue software in many ways, such as presenting forced installations, a polished user interface, false and annoying errors and a request...
  • Greetings from sunny Barcelona

    This year's Black Hat Europe Conference 2011, with Microsoft as one of the sponsors, was held in Barcelona Spain. The first briefings were held March 17th, when speakers began to present various research papers on a lot of very interesting topics. This is also a good opportunity to meet other researchers, to exchange ideas and to find out new and exciting things. The first day was a full day (good thing that I saw Camp Nou, home of FC Barcelona, when I first arrived :)), with presentations that...
  • Building Reputation with Microsoft Security Essentials

    Internet Explorer 9 includes a great new application reputation feature driven by SmartScreen. As described in this Building Reputation blog post by Ryan Colvin, SmartScreen uses file hashes and Authenticode signatures to identify publishers and applications. Microsoft Security Essentials has included reputation features since its initial release as well, although the reputation features aren't visible to the user. Like SmartScreen, Microsoft Security Essentials (and its siblings Forefront...
  • Very bad news, with more bad news embedded

    Malware writers never miss the chance to take advantage of big world events, no matter how tragic. The recent Japanese nuclear incident, caused by the devastating earthquakes, is their target this time. The Microsoft Malware Protection Center has been tracking a new backdoor (detected as Backdoor:Win32/Sajdela.A , SHA1 0c3526c7e1d6b8a3d2f5c21986c03f1dc0d88480) that is distributed by utilizing Exploit:Win32/CVE-2010-3333 - code that exploits a previously-addressed RTF parser stack overflow vulnerability...
  • Trojan downloader Chepvil on the UPSwing

    A new spam campaign using UPS (United Parcel Service) as a social-engineering draw was initiated this week. The spammed message contains an attachment, detected as TrojanDownloader:Win32/Chepvil.I . The spam campaign actually started around March 16th 2011. The threat was originally detected as Backdoor:Win32/Hostil.gen!A (was Backdoor:Win32/Hostil.F). More specific signatures (TrojanDownloader:Win32/Chepvil.I and TrojanDownloader:Win32/Chepvil.J) were added on March 22nd 2011. Win32/Chepvil is...