Microsoft Malware Protection Center

Threat Research & Response Blog

June, 2012

  • Some shellcode de-mystified

    The shellcode described in this post was obtained from the Eleonore v1.2 exploit kit. High-level details about that kit are mentioned in my April 2012 blog post . This post is a technical view of the actual shellcode and is intended to be instructive to the inquisitive reader. Since this code is relatively old, the main techniques (hashing API lookups, rol decryption, kernel32 address lookup) have been discussed before. There are some other less-discussed bits of shellcode analysis, such as...
  • Phishing: not just for banks

    When people think of phishing (a deception to trick a user into sharing their credentials with a third party), they might usually think of banking. But with the popularity of online games, they can still be a target even if they protect their banking information. A typical reason for phishing in games is to steal in-game money and items. A phish might promise something free; since the phisher doesn't have to deliver, they could promise anything. In this example, the phisher promises two free Steam...
  • Insights into Win32/Bradop

    Have you heard of Win32/Bradop? We recently investigated this interesting data theft family in more detail and exposed some of its inner secrets. The following is a description of what we found out. Spoiler alert: spam emails, protectors, the download mechanism, database credentials, stolen data, and the source code all figure in prominently. Win32/Bradop arrives in a computer after the recipient of a spam email falls victim to social engineering. A recent spam message looks like this: Figure...
  • MSRT June '12 - cleanup on aisle one

    In the June '12 installment of the Microsoft Malicious Software Removal Tool (MSRT), we take on two threat families - Win32/Kuluoz and Win32/Cleaman . This post includes information about Kuluoz as we'll discuss Cleaman later this month. Win32/Kuluoz is a multi-component trojan family that that attempts to steal passwords that are stored in certain applications, and sensitive files from your computer. The trojan implements a downloader component that we observed being distributed via spam email...