Microsoft Malware Protection Center

Threat Research & Response Blog

February, 2012

  • Stratfor customers targeted by cybercriminals

    Cybercriminals are continuing to use a social engineering trick to lure users for their malware campaigns. This time, they targeted customers of Stratfor - a subscription-based provider of geopolitical analysis. Attacks against Stratfor clients began after a reported breach of their customer database . The spammed email contains an attached PDF file named "stratfor.pdf". Upon opening the PDF file, it displays the following content, with a reference to using security software to scan for the fictional...
  • Can we believe our eyes? Another story…

    ​In Windows, the “hosts” file (located in “%SystemRoot%\System32\drivers\etc” directory by default) is often used by malware authors when hijacking websites. The local Hosts file overrides the DNS resolution of a website URL to a particular IP address. Malware authors make changes to affected users’ Hosts files to redirect specified URLs to different IP addresses of the author’s choice. In August last year, I blogged about malware authors using Unicode characters...
  • Pramro and Sality - two PEs in a pod

    ​ The second of the families added to the February release of the Microsoft Malicious Software Removal Tool (MSRT) is Win32/Pramro . Win32/Pramro is a family of trojans that can act as a SOCKS proxy on an infected computer. In this case, this proxy may be used to relay spam and HTTP traffic. Detection was first added for Pramro variants in January 2008. There is a strong connection with the polymorphic file infector Win32/Sality , which shares portions of code with Pramo. For example, let's examine...
  • Extracting the fare

    When malware is found lurking on a system, quite often it isn't acting alone. Once malware distributors have control of a system, they will do everything they can to compromise the machine and the user for maximum gain -- for instance, hijacking a browser's search results, or using rogue security software to extract payments from affected users -- and will try to install whatever other malware components they need to in order to make this happen. Such is the case with Win32/Fareit , which is one...
  • In Memoriam - Tareq Saade

    January 26 1983 - February 19 2012 Tareq was part of the MMPC for several years, in which the social media properties (including this blog) were part of his responsibilities. He was one of those people who make an impact on you from the moment you meet them. He was well-loved and well-respected, much admired and very much missed. We at the MMPC feel his loss tremendously, and our thoughts are with his family and loved ones at this difficult time.