Microsoft Malware Protection Center

Threat Research & Response Blog

May, 2011

  • Little Red Ramnit: My, what big eyes you have, Grandma!

    This month's addition to MSRT is Win32/Ramnit . Having been discovered in April 2010, the family is relatively new, however, the authors of Ramnit seem to have a preference for using an older generation of malicious techniques. Whilst there are still a number of parasitic file infectors in the wild, the total number of malware families employing such a technique is relatively small. Like many of file infectors which preceding it, Win32/Ramnit contains functionality to infect Windows PE files with...
  • Keeping an eye on the heap

    The Windows heap memory is a rich source of anti-debugging techniques. It can be altered in numerous ways to achieve interesting effects, such as the execution of arbitrary code in particular circumstances. It can also be used in indirect ways, since many APIs allocate and/or free memory as part of their standard behaviour. What follows is a description of some of the ones that we might see in malware samples -- to raise awareness among the good guys and remove the element of surprise for the bad...
  • Slick links linked to slinky Winwebsec

    I received a spam email from a friend lately after which I immediately notified him of a potential malware infection.  He insisted his technician had taken care of the infection once and for all.  After I returned from my vacation I received another three spam mails from him.  This time I decided to look further. Message 1, about two weeks old, contained a simple URL shown as ‘ ’.  The hyperlink actually is for a different site, “