Microsoft Malware Protection Center

Threat Research & Response Blog

April, 2012

  • An interesting case of Mac OSX malware

    In June 2009, Microsoft issued security update MS09-027, which fixed a remote code execution vulnerability in the Mac version of Microsoft Office. Despite the availability of the bulletin (and the passage of time), not every machine is up to date yet – which is how nearly three years later, malware has emerged that exploits the issue on machines running Office on Mac OS X. Fortunately, our data indicates that this malware is not widespread, but during our investigation we found a few interesting...
  • Revenge of the Reveton

    Computer users around the world are increasingly accustomed to managing their bank accounts, paying their bills and performing other activities online. The use of technology to manage finances has long been a target of attackers, and malware authors continue to create scams that try to persuade potential victims to provide access to their valuable personal information, including logon credentials for online accounts. Trojan:Win32/Reveton.A is a recent example of malware that attempts to phish these...
  • Analysis of the Eleonore exploit pack shellcode

    '​Eleonore ' is a malware package that contains a collection of exploits used to compromise web pages. When the compromised web pages are viewed via vulnerable systems, the exploit payload is run. Eleonore is purchased by an attacker from an underground website. The attacker then gains access to Internet web servers and installs the exploit by modifying webpages, which are then served to the public. The malware pack also contains functionality for the tracking and management of compromised computers...
  • A tangled web...

    The moment of infection, and the circumstances that lead to the introduction of malware to a system, are often not obvious. This short case study examines our observations and investigations into a particular example that illustrates a fairly typical method of compromise that is played out countless times each day​ all over the web. A couple of days ago, our attention was drawn to a website that appeared to use the Microsoft brand. We received reports that a website with the word "Microsoft" in...
  • SIRv12: The obstinacy of Conficker

    Conficker is one of the most significant threat families facing organizations worldwide today; its initial impact along with its continued obstinacy shows that clearly. In the fourth quarter of 2011 – three years after its initial release – it attempted to infect just over 1.7 million computers. Conficker’s persistence is illustrated not only by the number of computers it has attempted to infect, but also by the nearly 59 million attacks launched against those computers in the fourth...
  • MSRT April 2012: Win32/Claretore

    We included three threat families in the April edition of the Microsoft Malicious Software Removal Tool - Win32/Claretore , Win32/Bocinex and Win32/Gamarue . In this post, we discuss Win32/Claretore. The earliest reported variant in this family can be traced back to November 2011. Claretore is a trojan that injects itself into running processes to intercept browser traffic and redirect the browser to an attacker-defined URL. It also sends information about the affected computer to a remote server...