Microsoft Malware Protection Center

Threat Research & Response Blog

August, 2012

  • The rise of a new Java vulnerability - CVE-2012-1723

    Last month, we saw a new Java vulnerability ( CVE-2012-1723 ) being used by malware. This new Java vulnerability is a type-confusion, same as the notorious CVE-2012-0507 AtomicReferenceArray vulnerability. The vulnerability was resolved on June 12th by Oracle and a discussion on the vulnerability was made public on June 13th (though some security updates had appeared in a Java related OpenSource project in early April). Even so, it took some time for the malware writers to adopt this new vulnerability...
  • MSRT August ’12 – What’s the buzz with Bafruz?

    For this month's Microsoft Malicious Software Removal Tool (MSRT) release, we will include two families: Win32/Matsnu and Win32/Bafruz . Our focus for this blog will be Bafruz, which is a multi-component backdoor that creates a Peer-to-Peer (P2P) network of infected computers (using C&C, for instance), and includes a nasty list of payloads, as well as unique means of disabling security and antivirus products. Win32/Bafruz contains components, which achieve a number of objectives for the attacker...
  • There's nothing old school about viruses

    Recently, we discovered a new parasitic infection virus in the wild – Win32/Floxif - which specifically targets DLL files. Most of the attacks of this threat have been observed to come from a specific geographic region. Win32/Floxif replaces 5 bytes at the entry point of the infected file with a jmp instruction, which jumps directly to the virus body (as shown in Figure 1): Figure 1: The virus replaces 5 bytes at entry point The virus body drops a malicious file with a deceptive...
  • The role of 'agent' as part of distribution channel decision

    In a recent blog post , we pointed out a trend we described as economies of scale in cross-platform vulnerabilities . We noted that this method of distribution allows the attacker to maximize their potential impact on multiple platforms. In this context, we would like to take this discussion further and explain the ways platform specific payloads are carried to targets or victims. The threat landscape, and the relationship between attacker and victim within the digital distribution space, is...
  • A technical analysis on CVE-2012-1535 Adobe Flash Player vulnerability: Part 1

    This post is part one of two. On August 14 th , Adobe released a fix and an advisory for a vulnerability ( CVE-2012-1535 ) in Adobe Flash Player. On Windows systems, Adobe Flash Player 11.3.300.270 and earlier versions are vulnerable. The advisory notes that this vulnerability has been used for targeted attacks. We analyzed a sample with a SHA1 of 04804912C34E91B68222E27C3EF54A2FB9628DEA that we detect as Exploit:SWF/CVE-2012-1535.A . We’ve observed a small number of attacks using this...
  • A technical analysis on CVE-2012-1535 Adobe Flash Player vulnerability: Part 2

    Part 1 of this blog described and analyzed the CVE-2012-1535 vulnerability in Adobe Flash Player. Here, we describe the fixes and mitigations that can be employed for this and similar exploits. Fixes and mitigations To avoid being vulnerable, you need to update Adobe Flash Player to the latest release from here . Recent versions of Adobe Flash Player offer a Background Updater feature, which you should enable. To protect users from immediate, zero-day vulnerabilities, Adobe provides security...
  • Protecting yourself from CVE-2012-4681 Java exploits

    As we've discussed in previous posts, we are seeing more malware abusing Java issues, including CVE-2012-4681 . Currently this vulnerability is a 0-day, and to date there is no patch available from the vendor. It is known that JRE (Java Runtime Environment) 7 is vulnerable to attack on this sandbox-breach vulnerability, while JRE 6 is not. We’ve already talked about increasing your protections from Java malware in general, whether by checking to confirm that your Java installation is up to...