Microsoft Malware Protection Center

Threat Research & Response Blog

May, 2011

  • Microsoft Safety Scanner detects exploits du jour

    We recently updated the Microsoft Safety Scanner - a just-in-time, free cleanup tool.  The new version adds support for 64-bit Windows systems and also allows for the download of the tool to run in non-networked systems such as those behind an air-gap network, those within an ISPs walled garden, and those where the infection has impaired internet connectivity.  You can download the Microsoft Safety Scanner (MSS) at www.microsoft.com/security/scanner .  Early results have been very...
  • Presenting... the Microsoft Safety Scanner

    We have just released a new tool called Microsoft Safety Scanner to help you diagnose if your computer is infected and clean it if possible. It is available from www.microsoft.com/security/scanner . The old online safety scanner from safety.live.com also now points to www.microsoft.com/security/scanner So what is Microsoft Safety Scanner? It is a standalone, easy-to-use scanner, packaged with the latest signatures, updated many times a day. While it is not a replacement for a full antimalware solution...
  • Winwebsec gang responsible for FakeMacdef?

    We've noticed a few odd rogue security software applications recently—although this type of threat is nothing new, these samples are interesting because they target the Mac OS X operating system. There have been several variants of a threat, which we detect as Rogue:MacOS_X/FakeMacdef , going around this month. As you would expect with any rogue antimalware product, it tries to trick users into thinking that they are infected with something which only it is able to remove… for a price...
  • When spear phishers target security researchers

    Every now and then a would-be criminal online picks the wrong potential victim. I was recently selling a 1995 Ford Escort on the site Craigslist.com and had a number of interested buyers. One such candidate offered a $500 IOU plus a six-month supply of tile grout. Luckily, he never showed up. Another potential buyer, by the name of Amanda Q. McCombs , wrote: I want to buy it, where are you exactly located? any damage any rust? AMANDA Q MCCOMBS SENT FROM MY IPHONE at 12:22:13 I wrote back: hi amanda...
  • Little Red Ramnit: My, what big eyes you have, Grandma!

    This month's addition to MSRT is Win32/Ramnit . Having been discovered in April 2010, the family is relatively new, however, the authors of Ramnit seem to have a preference for using an older generation of malicious techniques. Whilst there are still a number of parasitic file infectors in the wild, the total number of malware families employing such a technique is relatively small. Like many of file infectors which preceding it, Win32/Ramnit contains functionality to infect Windows PE files with...
  • Win32/Alureon brings back old school virus techniques, enhanced

    In 1999, a new virus, Win32/Crypto, was discovered. It was using brute-force attacks against its encryption key to decrypt its body. Today, in 2011, variants of Win32/Alureon are bringing this old-school technique back to life, with some extra naughtiness, as you will see below. While working recently on different Win32/Alureon samples, we noticed some behaviour that deviated from what we’ve seen before. A particular set of files was taking longer to exhibit malicious behaviour than others...
  • New Security Intelligence Report Released

    Since 2006, we have released ten volumes of the Security Intelligence Report , providing customers with unparalleled insight into the software threat landscape and guidance to better protect themselves. The threat landscape has changed significantly during those years with advancements in security and privacy technology and general awareness of cybercrime. However, cybercriminals have gotten more sophisticated and continue to evolve their attack methods. Today's release of Microsoft's Security...
  • MMPC Threat Report: Cracking open Qakbot

    Today, we’re releasing a Microsoft Malware Protection Center Threat Report on Qakbot as a follow-up to the recently-released Microsoft SIRv10 and our special report on Battling Botnets in late 2010.  This report focuses on one botnet in particular, Qakbot . Qakbot is a backdoor that includes user-mode rootkit functionality to hide itself and also steal sensitive user data from infected machines. In addition to some of the interesting traits of Qakbot, such as the areas of the world where it...
  • Slick links linked to slinky Winwebsec

    I received a spam email from a friend lately after which I immediately notified him of a potential malware infection.  He insisted his technician had taken care of the infection once and for all.  After I returned from my vacation I received another three spam mails from him.  This time I decided to look further. Message 1, about two weeks old, contained a simple URL shown as ‘ facebook.com/abunk.maralyn ’.  The hyperlink actually is for a different site, “ medshealthtablets.net...
  • Dead code walking

    Recently I had a moment to review a group of PDF exploit files. Many exploits use various tricks to obfuscate embedded JavaScript. I thought I could de-obfuscate the samples by throwing them into a sandbox environment and enjoying the beautified source code, but these samples required a different method to coax the legible code into view. In these examples, which come from Exploit:Win32/Pdfjsc.NJ (SHA1 45d04db8617a85f5359fb1a33ad867ef3d43eb7f), the files contained JavaScript that was embedded into...