Microsoft Malware Protection Center

Threat Research & Response Blog

March, 2012

  • Microsoft and partners disrupt Zeus botnets

    We have discussed in the past our collaboration with external parties to combat botnet threats to further the betterment of the Internet, such as Operations b49 , b107 and b79 . This week, Microsoft has partnered with security experts and the financial services industry on a new action codenamed Operation b71 to disrupt some of the worst known botnets using variants of the notorious Zeus malware (which we detect as Win32/Zbot ). Due to the complexities of these targets, unlike Microsoft’s...
  • Vulnerability analysis, practical data flow analysis and visualization

    Recently at CanSecWest 2012, we presented on the technology we use for analyzing malicious samples and PoC files. As malware often actively attempts to exploit software vulnerabilities these days, understanding the internals of these vulnerabilities is essential when writing defense logic. Out of the many methods that can be used for vulnerability analysis, we presented a method that uses dynamic binary instrumentation and data flow analysis. Dynamic binary instrumentation and data flow analysis...
  • Piecing the malware puzzle – Exploring a spike in exploit activity

    In this post, we explore a telemetry spike in Java/OpenConnection and CVE-2011-3544 exploit activity. While reviewing user feedback from the Microsoft Malware Protection Center recently, we noticed an unprecedented amount of feedback on one particular Java/OpenConnection variant -- TrojanDownloader:Java/OpenConnection.PK . Such interest in this type of Java applet-based exploit is quite unusual, and prompted us to investigate further. A signature for this threat was introduced on February 22...
  • An interesting case of JRE sandbox breach (CVE-2012-0507)

    Recently we received a few samples that exploit the latest patched JRE (Java Runtime Environment) vulnerability. These samples are kind of unusual to see, but they can be used to develop highly reliable exploits. The malicious Java applet is loaded from an obfuscated HTML file. The Java applet contains two Java class files - one Java class file triggers the vulnerability and the other one is a loader class used for loading. The vulnerability triggering class is actually performing deserialization...
  • Ransomware: Playing on your fears

    The last two years have seen an increase in malware which takes control of, and holds hostage an infected machine, locking the user out until a payment of some form can be extorted. This threat type is also known as 'ransomware'. Various tactics have been used by the malware writers in an attempt to intimidate users into paying a ransom in order to get back control of an infected machine. We wrote a blog post last December that describes malware extortion tactics, here . Scare tactics include...
  • MSRT March: Three Hioles in one

    ​In a previous post , we discussed Win32/Dorkbot , one of the major threat families included in the March 2012 release of MSRT. In this post, we discuss the other inclusions, Win32/Hioles , Win32/Pluzoks and Win32/Yeltminky . Win32/Hioles Similar to last month's focus on Win32/Pramro , Win32/Hioles is another trojan that resides on the computer and functions as a proxy server. The first variant was identified in mid-2011. One popular infection vector for the malware is via spammed messages...
  • MSRT March 2012: Breaking bad

    This month, the MMPC added Win32/Dorkbot to the Microsoft Malicious Software Removal Tool along with detections for the threats Win32/Hioles , Win32/Pluzoks and Win32/Yeltminky . Win32/Dorkbot is described as an IRC-based botnet and a worm, a backdoor with rootkit capability and a password stealer. Despite using a very simple IRC protocol to communicate with the command and control (C&C) server, it was able to build a substantial installation base after a couple of years in operation. Some...
  • There's a cream for that

    The other day, while previewing messages in my inbox, I saw a conspicuous message with the following parameters, typos included: To: (email address) CC: (email address),... Subject: Your ex sent me this pciture of you. Body: Hey (email address), Your ex sent me this picture claiming it's you. Is it really so? You probaly should see a doctor:) They can cure it now:). Attachment: " Photo.zip " ​ The attached file is a ZIP archive that contains an executable file named " IMG04958.exe " ( SHA1...
  • A Rogue by any other name...

    Rogue:Win32/FakePAV reappeared about two weeks ago after a brief hiatus and since then we’ve been seeing variants with new names for themselves just about every day. The latest versions call themselves names like “ Windows Threats Destroyer ”, “ Windows Firewall Constructor ”, " Windows Attacks Preventor " and “ Windows Basic Antivirus ”. You can see some examples of these iterations below. Each sample of FakePAV is distributed as a self-extracting...