Microsoft Malware Protection Center

Threat Research & Response Blog

July, 2012

  • How to protect yourself from Java-based malware

    The last few months we have seen a drastic increase in Java-based malware abusing the CVE-2012-0507 AtomicReferenceArray type-confusion vulnerability. In addition to that, a few weeks ago, a new Java vulnerability was found ( CVE-2012-1723 ); it is also a type-confusion vulnerability. The attack abusing this new vulnerability is also very active. Traditionally, Java has a strong security model, but with type-confusion vulnerabilities, this model is easily broken. Type-confusion is a vulnerability...
  • Economies of scale: A perspective on cross-platform vulnerabilities

    A year ago, we published a blog post titled ' Backdoor Olyx - is it malware on a mission for Mac? '. It explored the intriguing questions that lay behind this backdoor's discovery, delivery and targets. We provided our observations and analysis, and suggested that this threat was used in a targeted attack against unknown victims. However, we found no clue at that time as to 'how' the threat was installed to its targets - an important missing piece that we've continued to investigate over time. ...
  • Obfuscating, bifurcating, escalating and mitigating on 64-bit

    With the growth in adoption of 64-bit architectures and associated operating systems, we're seeing the usual malicious suspects following the trend. We have seen variants of several families, including Alureon , Koobface , Sirefef and Ursnif targeting this platform. These families adopt various techniques to prevent their detection and removal, one of which is obfuscation. Let's take a look at Ursnif, a family of malware which has been active as far back as 2006. The malware usually comes in the...
  • Fake apps and the lure of alternative sources

    There are millions of people using Skype. In fact, early this year, Skype had reached 40 million concurrent users ; all were signed onto Skype, all at once. And yes, it is widely available on mobile devices. Last week, a new piece of malware was spotted trying to take advantage of Skype's popularity, specifically targeting Android mobile users – we detect this threat as Trojan:AndroidOS/SMSFakeSky.A and Trojan:Java/SMSFakeSky.A . In this case, the cybercriminal's fraudulent scheme was to lure...
  • We've got our eye on Eyestye

    Back in October 2011, we began to remove Eyestye variants using the Malicious Software Removal Tool (MSRT) in an effort to prevent the proliferation of this botnet. Today, we published a detailed MMPC Threat Report on this family. The report provides an in-depth analysis of how Win32/EyeStye works and the telemetry we have on its activity in 2011 and early 2012. Win32/EyeStye is a family of trojans that attempt to steal sensitive data, such as logon credentials, from banking websites and other...
  • Knowing you, knowing meme...

    I've worked in this industry for some time now, but to be frank, working as a writer with the MMPC I don't see too much live malware action from the front lines. I tend to write about other people's experiences with malware. However, I had this experience recently that I wanted to share with you, to give you some insight into one way that malware is distributed and talk about how it's representative of a fairly common scenario. A colleague (Scott) was prompted to make comment after overhearing...
  • Morto goes viral

    We’ve recently seen a new strain of Morto that serves as a timely reminder to users of the importance of using strong passwords. In the past we’ve seen Win32/Morto compromising Remote Desktop connections by exploiting weak administrator passwords . This new strain of Morto (detected as Virus:Win32/Morto.A ) makes the same attempt, but has added file infection to its arsenal. Morto attempts to infect files in the default RDP file share ‘\\tsclient’ by enumerating all the...
  • Cleaning out Cleaman

    We had included Win32/Kuluoz and Win32/Cleaman in the June edition of the Microsoft Malicious Software Removal Tool (MSRT). In this blog post we will discuss Win32/Cleaman – a family that belongs to the category of "web redirector". Win32/Cleaman is a multi-component trojan with the capability to redirect web search queries. It is usually distributed via drive-by exploit kits and its main purpose is to redirect Bing , Google , and Yahoo search results to either fake or compromised webpages...
  • More 64-bit obfuscator madness

    Just after we published a blog about a 64-bit obfuscator, we very quickly discovered another malware family following the same trend. Claretore is also using two-layer 64-bit obfuscation, although it does it a little differently to Ursnif . The first layer simply decrypts the code of the second layer and passes it control. There's even a 64-bit anti-emulation trick used in the first layer. The code snippet is depicted in Figure 1. It calls API GetBkColor() with a bogus parameter (0x3c2c3f2...