Microsoft Malware Protection Center

Threat Research & Response Blog

May, 2011

  • When spear phishers target security researchers

    Every now and then a would-be criminal online picks the wrong potential victim. I was recently selling a 1995 Ford Escort on the site Craigslist.com and had a number of interested buyers. One such candidate offered a $500 IOU plus a six-month supply of tile grout. Luckily, he never showed up. Another potential buyer, by the name of Amanda Q. McCombs , wrote: I want to buy it, where are you exactly located? any damage any rust? AMANDA Q MCCOMBS SENT FROM MY IPHONE at 12:22:13 I wrote back: hi amanda...
  • MMPC Threat Report: Cracking open Qakbot

    Today, we’re releasing a Microsoft Malware Protection Center Threat Report on Qakbot as a follow-up to the recently-released Microsoft SIRv10 and our special report on Battling Botnets in late 2010.  This report focuses on one botnet in particular, Qakbot . Qakbot is a backdoor that includes user-mode rootkit functionality to hide itself and also steal sensitive user data from infected machines. In addition to some of the interesting traits of Qakbot, such as the areas of the world where it...
  • Microsoft Safety Scanner detects exploits du jour

    We recently updated the Microsoft Safety Scanner - a just-in-time, free cleanup tool.  The new version adds support for 64-bit Windows systems and also allows for the download of the tool to run in non-networked systems such as those behind an air-gap network, those within an ISPs walled garden, and those where the infection has impaired internet connectivity.  You can download the Microsoft Safety Scanner (MSS) at www.microsoft.com/security/scanner .  Early results have been very...
  • Dead code walking

    Recently I had a moment to review a group of PDF exploit files. Many exploits use various tricks to obfuscate embedded JavaScript. I thought I could de-obfuscate the samples by throwing them into a sandbox environment and enjoying the beautified source code, but these samples required a different method to coax the legible code into view. In these examples, which come from Exploit:Win32/Pdfjsc.NJ (SHA1 45d04db8617a85f5359fb1a33ad867ef3d43eb7f), the files contained JavaScript that was embedded into...
  • Winwebsec gang responsible for FakeMacdef?

    We've noticed a few odd rogue security software applications recently—although this type of threat is nothing new, these samples are interesting because they target the Mac OS X operating system. There have been several variants of a threat, which we detect as Rogue:MacOS_X/FakeMacdef , going around this month. As you would expect with any rogue antimalware product, it tries to trick users into thinking that they are infected with something which only it is able to remove… for a price...
  • Win32/Alureon brings back old school virus techniques, enhanced

    In 1999, a new virus, Win32/Crypto, was discovered. It was using brute-force attacks against its encryption key to decrypt its body. Today, in 2011, variants of Win32/Alureon are bringing this old-school technique back to life, with some extra naughtiness, as you will see below. While working recently on different Win32/Alureon samples, we noticed some behaviour that deviated from what we’ve seen before. A particular set of files was taking longer to exhibit malicious behaviour than others...
  • Ambler trojan tries to darken your day

    There's been talk of a new threat called " Sunspot ", which we detect as Win32/Ambler.A (click to read more in our encyclopedia). Like several others in the AV industry, we feel that this threat is not a new ‘crimeware kit’, and is instead just a new variant of a much older threat known as Ambler (also known as ‘ Limbo ’ and ‘ NetHell ’ within the security industry). The primary difference with this variant is that it has the capability of performing HTML injection...
  • Dissecting Phish in SIRv10

    One of the most striking statistics in our recent Security Intelligence Report (SIRv10) is the change in social network phishing (attacks focused on impersonating a social networking site in an attempt to steal and exploit your credentials). This change was briefly mentioned in Vinny’s blog post that announced the release of the SIR. I want to take a step back and look at this data in detail, starting with how the industry in general and the SIR in particular measure phishing. Common methods...
  • Presenting... the Microsoft Safety Scanner

    We have just released a new tool called Microsoft Safety Scanner to help you diagnose if your computer is infected and clean it if possible. It is available from www.microsoft.com/security/scanner . The old online safety scanner from safety.live.com also now points to www.microsoft.com/security/scanner So what is Microsoft Safety Scanner? It is a standalone, easy-to-use scanner, packaged with the latest signatures, updated many times a day. While it is not a replacement for a full antimalware solution...
  • New Security Intelligence Report Released

    Since 2006, we have released ten volumes of the Security Intelligence Report , providing customers with unparalleled insight into the software threat landscape and guidance to better protect themselves. The threat landscape has changed significantly during those years with advancements in security and privacy technology and general awareness of cybercrime. However, cybercriminals have gotten more sophisticated and continue to evolve their attack methods. Today's release of Microsoft's Security...