Microsoft Malware Protection Center

Threat Research & Response Blog

September, 2011

  • Operation b79 (Kelihos) and Additional MSRT September Release

    For the month of September, Microsoft is adding the Win32/Kelihos family to a second release of the Malicious Software Removal Tool . This additional release is to support the most recent action in Project MARS- Operation b79 which targets the Kelihos botnet. Operation b79 builds on the successes of the Rustock and Waledac takedowns. This operation extends previous legal tactics in addition to our various technical measures in that we are, for the first time, naming a defendant in a civil case involving...
  • A tale of grannies, Chinese herbs, Tom Cruise, Alureon and steganography

    I've been monitoring the development of a particular strain of Alureon since the start of August this year. The installer (detected as Trojan:Win32/Alureon.FE - cc9a8000f80b6aecee30375e3277292a725acbfb) is easily distinguishable from more prevalent strains such as Trojan:Win32/Alureon.DX by the use of PE resources to store each component. This particular installer is often downloaded by variants of Trojan:Win32/Fakesysdef using remote file names such as '531-direct'. Whilst investigating one...
  • Rustock Case Update

    Today, Microsoft's Digital Crimes Unit announced that we have concluded our civil case against the Rustock botnet operators and turned evidence found during that investigation over to the FBI as a criminal referral. While the FBI will be driving that investigation, we will continue to offer the $250,000 reward for information which leads to the arrest and conviction of Rustock's operators. Any leads can be sent to ms_referrals@ic.fbi.gov. We will continue to work with ISPs and CERTs to clean infected...
  • Banker – the other way around

    There are many techniques used by malware in the banker family to steal user’s authentication credentials for online banking sites. We came across an interesting sample recently, detected as Trojan:Win32/Banload.A , which uses a remote proxy script in order to target online banking sites and facilitate data theft. When Trojan:Win32/Banload.A is executed, it opens an Internet browser to a certain animation site to trick the user into thinking that it’s nothing but an animation file...
  • Doing the Zbot spot; playing gotcha with a botnet

    Greetings Internet! This month (carefully hidden under the Win32/Bamital blanket), employing the old adage 'fight fire with fire', we decided to fight sneakiness with sneakiness and quietly slipped a fairly major Win32/Zbot update into MSRT . "Zbot" I hear you say? Yes, it's still around and kicking. Despite Win32/Zbot (officially self-titled with the oh-so-ego-inflating 'Zeus' moniker, despite never fathering Hercules bot, nor employing lightning in any way during infection) being rumoured to...
  • Bamm Bamm, Rubble.

    The family selected for addition to MSRT this month is Win32/Bamital . Win32/Bamital was first discovered in September 2009 and was able to intercept and modify queries performed by search engines such as AltaVista, Bing, Google and Yahoo. Win32/Bamital has evolved over a number of generations, employing a varying range of system modifications to ensure that the malicious code is executed. Whilst the complexity of Win32/Bamital has increased over time, the core functionality of search hijacking has...
  • Win32/AdsLock – advertising content locking tool turned ransomware

    It is clear that breaking search engine rules and exploiting functionality to drive traffic and monetize content is a lucrative and extremely viable business for unethical or so called "blackhat" search engine optimization (SEO). We have recently seen another method of driving traffic and monetizing content that doesn't involve directly serving malicious content via search engine results, but rather uses a modified version of an Internet advertising technique known as content locking. According...