Microsoft Malware Protection Center

Threat Research & Response Blog

January, 2012

  • Plenty to complain about with faux BBB spam

    I was recently having a conversation online in a forum about online reputation and about refuting false claims posted on customer complaint sites. In this particular conversation I was having, the person was falsely accused of bad business practices. In the States, if you experience an injustice from a bad business dealing, you can complain and report that business to an organization named the Better Business Bureau (BBB). In this particular incident, the falsely accused party wasn't reported...
  • Are you beta testing malware?

    This post is part one of two. Popular games are often used by malware writers as social engineering bait as documented in previous blogs (" Dota Players Own3d " and " Keeping Kerrigan From Infection "). So, with a watchful eye for anything related to games used as an infection vector, we came across a couple of interesting files: "dota 2 Betakeys.txt.exe" (detected as Backdoor:MSIL/Pontoeb.J ) "diablo3-crack.exe" (detected as Backdoor:Win32/Fynloski.A ) These files noted as...
  • Fake Seattle traffic ticket notification leads to malware

    Our partners at the City of Seattle sent us a warning today about a phishing campaign which targets users very close to home -- specifically, Seattle Washington. They're seeing spam mail circulating that claims to be from Seattle Department of Motor Vehicles, stating that the victim is charged with a traffic offense, and requesting that they fill out a linked form: Variations of this email are turning up; all of them have similar content and a “check sum” tag line. Only the hyperlink...
  • When imitation isn’t a form of flattery

    When I was at school (many, many years ago…) a teacher once told me that if someone copies you, it's a sign of flattery. Well, right now there are numerous "companies" copying us, but we are far from flattered. For some time now, rogue security programs have been trying their hardest to look just like Microsoft security products. I suppose they figure that the more they look like us, the more likely unsuspecting users are to hand over their hard earned cash to have their computers "cleaned...
  • January '12 MSRT: Win32/Sefnit

    The January 2012 edition of the Microsoft Malicious Software Removal Tool (MSRT) includes detection and removal of the Win32/Sefnit family of trojans. This trojan family moderates and redirects web browser search engine results for Bing , Yahoo! and Google. The earliest reported variant in this family can be traced back to August 2010. The installation mechanism employed by early samples remains very similar to samples we observe in the wild today. Variants of Sefnit employ the use of a Nullsoft...
  • A different breed of downloader

    In our everyday world, we sometimes make use of thin clients , which don't have a lot of functionality but are easy to maintain, as their functionality is based on data they receive from remote servers. Malware authors have adopted a similar technique, in which malware is able to download executable code without actually downloading an executable image. We're talking about malware that isn't a typical trojan downloader. The typical routine for trojan downloaders is that the downloaded file is...
  • Independent social welfare site hacked to serve malware?

    We received a submission from one of our customers that downloaded some suspicious files from a certain website. We checked the files, confirmed that they are actually malicious and added detection for them as Trojan:BAT/Delosc.A . Everything seemed normal, until we looked at the website that the files were downloaded from, which suggested that there's more to it than meets the eye. The website in question is a Romanian website, asistentasociala [dot] info. The term "asistenta sociala" translates...
  • Are You Beta Testing Malware pt 2: Dissecting Fynloski's Obfuscation

    This post is part two of two. In our previous post , we came across a couple of files that used some popular games as part of its social engineering technique. One of the files, which was named "diablo3-crack.exe" (after Diablo the video game series) is currently detected as Backdoor:Win32/Fynloski.A . It piqued our interest because we're avid gamers, and much to our surprise when we took a closer look we found out that the obfuscation technique it uses was also interesting. An initial look...