Microsoft Malware Protection Center

Threat Research & Response Blog

October, 2012

  • SIRv13: Be careful where you go looking for software and media files

    The Internet is a great place to share; we share information, ideas, experiences, software, and media through many different services over the Internet. The Internet is also a great place to do business and to shop for great deals on software, movies, and music as well as other goods and services. Unfortunately, malware distributors take advantage of people's desire to share and find the best deals by using social engineering in attempt to infect computer systems. Preying on the desire to "get...
  • Malware signed with the Adobe code signing certificate

    Last week, Adobe released an advisory ( APSA12-01 ) announcing the upcoming revocation of an Adobe code signing certificate as it was compromised and used to sign at least two malicious utilities. They identified a compromised build server that required access to the code signing infrastructure and have forensic evidence that links it to the signing of these malicious utilities. They have confirmed that the private key was not compromised and this build server was used to sign the malicious utilities...
  • ELAM Is Black and White

    At the Virus Bulletin conference this year, there was a talk about the limitations and suggested enhancements for the Early Launch Anti-Malware (ELAM) environment. The main observation, complaint if you will, was that there is no way for an anti-malware (AM) engine to perform a deep scan. However, there is a very good reason for why ELAM does not allow that: it is not meant to. The purpose of ELAM is exactly to perform black- and/or white-listing of drivers until the full AM engine is loaded as...
  • MSRT October '12 - Nitol: Counterfeit code isn't such a great deal after all

    Just recently, Microsoft shut down the command-and-control infrastructure (C&C) of Win32/Nitol malware - one of the most active DDoS-performing malware families today. The take down, dubbed as " Operation b70 ", was a great success. To amplify its disruption, DDoS:Win32/Nitol was included in this month's Malicious Software Removal Tool (MSRT) release. Microsoft's study [PDF] behind Operation b70 found that PC consumers might be at risk of getting infected by malware even with brand-new computers...
  • MSRT thwarts rogues with just one scan

    Most rogue antivirus software displays an interface that is predominantly in English, with some presenting a few other European languages as well. However, this month one of the families added by MSRT is Win32/Onescan , a Korean fake antivirus scanner that is the most prevalent of the Asian language-based rogues. Recently we noticed that several different English language rogue antivirus families have become inactive, with much of the remainder now consolidating around two other rogue families...
  • A Facebook scam, end to end

    Just recently, I logged on to my Facebook account and saw that a couple of people on my Friends list had posted something about a free $250 gift card from Costco, similar to this: When you click the link, Facebook asks you if you're sure that the link is not spam. If you choose "not spam", your browser opens a specific website, which looks similar to the following: Note that this is not an URL affiliated with Costco, but rather the author(s) of the scam are using the branding and naming...
  • MSRT October '12 - Nitol by the numbers

    As mentioned in our previous post , Microsoft's study [ PDF ] behind Operation b70 found that PC consumers might be at risk of malware infection even with brand new computers, if the computers come pre-installed with counterfeit versions of Windows software. This is what happened to some consumers in China who purchased their computers from an untrusted supply chain. A staggering 4 out of 20 machines were found to be infected with malware, and one of those infectors was Nitol. MMPC's infection...
  • All copy and paste makes Jack a bored boy

    We recently came across what appeared to be a new sample, but was actually part of malware discovered in 2010. This new-old sample is built from publicly available source code and, like many of its kind, is frequently rebranded. Because of all the changes that malware authors have made, we have detection for each customized iteration. One such iteration (SHA1 8d81462089f9d1b4ec4c7423710cf545be2708e7) is commonly deployed under private obfuscators (such as H1N1 or Umbra). We detect this threat as...
  • Know your enemy - protect yourself

    Of the many weapons and tricks in an attacker’s arsenal, none is more dangerous or insidious than the ability to hide and continuously compromise a system from within. This is the role of a rootkit. Malware uses rootkits, or rootkit functionality, in order to hide their presence on an affected computer and thus impede their removal. Once compromised by a rootkit, any information returned by an affected system can no longer be trusted and must be regarded as suspect (which is exactly how they...
  • Happy Halloween from the MMPC

    One of my pet peeves working in computer security has always been the use of emotive language. I have always felt that using highly emotive terms to discuss malware greatly adds to the already-considerable FUD (fear, uncertainty and doubt) that surrounds a lot of malware information. The FUD, in turn, leads users to think that this is a problem that is too big for them – too daunting, too scary – when that simply isn’t true. Malware are computer programs just like other computer...