Microsoft Malware Protection Center

Threat Research & Response Blog

May, 2011

  • Slick links linked to slinky Winwebsec

    I received a spam email from a friend lately after which I immediately notified him of a potential malware infection.  He insisted his technician had taken care of the infection once and for all.  After I returned from my vacation I received another three spam mails from him.  This time I decided to look further. Message 1, about two weeks old, contained a simple URL shown as ‘ facebook.com/abunk.maralyn ’.  The hyperlink actually is for a different site, “ medshealthtablets.net...
  • Keeping an eye on the heap

    The Windows heap memory is a rich source of anti-debugging techniques. It can be altered in numerous ways to achieve interesting effects, such as the execution of arbitrary code in particular circumstances. It can also be used in indirect ways, since many APIs allocate and/or free memory as part of their standard behaviour. What follows is a description of some of the ones that we might see in malware samples -- to raise awareness among the good guys and remove the element of surprise for the bad...
  • Little Red Ramnit: My, what big eyes you have, Grandma!

    This month's addition to MSRT is Win32/Ramnit . Having been discovered in April 2010, the family is relatively new, however, the authors of Ramnit seem to have a preference for using an older generation of malicious techniques. Whilst there are still a number of parasitic file infectors in the wild, the total number of malware families employing such a technique is relatively small. Like many of file infectors which preceding it, Win32/Ramnit contains functionality to infect Windows PE files with...
  • New Security Intelligence Report Released

    Since 2006, we have released ten volumes of the Security Intelligence Report , providing customers with unparalleled insight into the software threat landscape and guidance to better protect themselves. The threat landscape has changed significantly during those years with advancements in security and privacy technology and general awareness of cybercrime. However, cybercriminals have gotten more sophisticated and continue to evolve their attack methods. Today's release of Microsoft's Security...
  • Presenting... the Microsoft Safety Scanner

    We have just released a new tool called Microsoft Safety Scanner to help you diagnose if your computer is infected and clean it if possible. It is available from www.microsoft.com/security/scanner . The old online safety scanner from safety.live.com also now points to www.microsoft.com/security/scanner So what is Microsoft Safety Scanner? It is a standalone, easy-to-use scanner, packaged with the latest signatures, updated many times a day. While it is not a replacement for a full antimalware solution...
  • Dissecting Phish in SIRv10

    One of the most striking statistics in our recent Security Intelligence Report (SIRv10) is the change in social network phishing (attacks focused on impersonating a social networking site in an attempt to steal and exploit your credentials). This change was briefly mentioned in Vinny’s blog post that announced the release of the SIR. I want to take a step back and look at this data in detail, starting with how the industry in general and the SIR in particular measure phishing. Common methods...
  • Ambler trojan tries to darken your day

    There's been talk of a new threat called " Sunspot ", which we detect as Win32/Ambler.A (click to read more in our encyclopedia). Like several others in the AV industry, we feel that this threat is not a new ‘crimeware kit’, and is instead just a new variant of a much older threat known as Ambler (also known as ‘ Limbo ’ and ‘ NetHell ’ within the security industry). The primary difference with this variant is that it has the capability of performing HTML injection...
  • Win32/Alureon brings back old school virus techniques, enhanced

    In 1999, a new virus, Win32/Crypto, was discovered. It was using brute-force attacks against its encryption key to decrypt its body. Today, in 2011, variants of Win32/Alureon are bringing this old-school technique back to life, with some extra naughtiness, as you will see below. While working recently on different Win32/Alureon samples, we noticed some behaviour that deviated from what we’ve seen before. A particular set of files was taking longer to exhibit malicious behaviour than others...
  • Winwebsec gang responsible for FakeMacdef?

    We've noticed a few odd rogue security software applications recently—although this type of threat is nothing new, these samples are interesting because they target the Mac OS X operating system. There have been several variants of a threat, which we detect as Rogue:MacOS_X/FakeMacdef , going around this month. As you would expect with any rogue antimalware product, it tries to trick users into thinking that they are infected with something which only it is able to remove… for a price...
  • Dead code walking

    Recently I had a moment to review a group of PDF exploit files. Many exploits use various tricks to obfuscate embedded JavaScript. I thought I could de-obfuscate the samples by throwing them into a sandbox environment and enjoying the beautified source code, but these samples required a different method to coax the legible code into view. In these examples, which come from Exploit:Win32/Pdfjsc.NJ (SHA1 45d04db8617a85f5359fb1a33ad867ef3d43eb7f), the files contained JavaScript that was embedded into...