About a month ago, we blogged about an Adobe Flash Player vulnerability ( CVE-2011-0609 ) that was actively exploited in the wild. That exploit was hidden inside a Microsoft Excel document. Over the weekend, a new Adobe Flash Player 0-day ( CVE-2011-0611 ) was reported by Adobe in a recent advisory ( APSA11-02 ). It all started with spam emails enticing users to open its attachment, typically a Microsoft Word document (or a zip file of a Microsoft Word document), which contained the malicious...

This month, the MSRT team added the Win32/Afcore family of trojans to its detections. This malware is also known as Coreflood . It has evolved over time, first breaking onto the scene in 2003. At the time, it was encountered when visiting a malicious web page containing obfuscated VBScript and detected as TrojanDropper:VBS/Inor.B . Using hexadecimal encoding, the VBScript dropper would create an executable, detected as Backdoor:Win32/Apdoor.C . Its main functionality was somewhat simple then and...

Earlier this week, I received a phone call via Skype on my laptop, the caller’s ID was “ dralerthelpzc8 ” as in Dr Alert Help ZC8 . The voice on the other end was automated, computerized and otherwise non-human, and alerted me that I had a virus that affects Windows Vista, Windows XP and Windows 7 and that I needed to visit a website to download an update. ( This is somewhat similar to the situation where a live person calls and purports to being a Microsoft employee and wants to help you clean your...

In continuation of our support for the takedown activities on the Win32/Afcore botnet, we are releasing a second edition of MSRT in April. This edition includes variants of Afcore released by the criminals behind it at approximately the same time as the previous edition of MSRT. While MSRT has traditionally been released on the second Tuesday of the month alongside other security releases, we are not tied to this schedule. We can, and will, release MSRT as needed to support takedown activities or...

Recently, I received an email in my personal inbox with a subject line “MYSTERY SHOPPER ASSISTANT“ (the message did not filter to my junk folder and was not marked as spam). Image 1 – “Mystery shopper assistant” spam I’m familiar with the hobby of mystery shopping – a service provided under contract where the contractor discreetly reviews an establishment and observes various aspects such as customer service, cost of goods or services sold and so on. The contract then reports back to the contracting...

We recently examined a sample, detected as Program:Win32/Pameseg.P (SHA1: 089e7ec8ee2ca4be0fff079e39ef26110a8de78e), that appears to be a new version of " LoviVkontakte ", an application for the Russian social networking website " vkontakte ". This sample asks for money by way of requesting an SMS to a premium number to continue installation. We've seen similar behavior in the past with the malware families Wintrim and Ransom . With this sample, it became apparent that things...