Microsoft Malware Protection Center

Threat Research & Response Blog

November, 2012

  • Don't fall for Folstart

    We use thumb drives in different ways – usually to transfer files from one computer to another. When we create folders in thumb drives, we have a certain level of confidence that the folder isn't malicious or doesn't contain malware. Unfortunately, this assumption is not always true. For the month of November, we added the Folstart family to the Microsoft Malicious Software Removal Tool (MSRT) . Folstart is a family of worms that copies itself using the same names as folders in your USB...
  • An analysis of Dorkbot's infection vectors (part 1)

    Malware nowadays benefits from the complexity of the Internet ecosystem to infect new computers through vectors such as browser plugins, social networks, and instant messaging programs. In this two-parter series, we'll look at Worm:Win32/Dorkbot, a prevalent worm with the capabilities of an IRC backdoor and a password stealer. Dorkbot relies both on social engineering attacks and on methods that don't require human intervention, such as infected removable drives and drive-by downloads. This versatility...
  • A technical analysis on new Java vulnerability (CVE-2012-5076)

    There is a new Java vulnerability now publicly disclosed, CVE-2012-5076 . Recently, we have seen more and more Java malware and malware distributors using new vulnerabilities quicker than ever before. Here’s a brief analysis of this newly disclosed Java vulnerability and related malware. Just like the recent CVE-2012-4681 , this vulnerability is about a package access issue. But this time, it’s not caused by vulnerable code that exposes restricted packages. The malware we’ve...
  • Smoke and mirrors and Win32/Phorpiex

    This month one of the families introduced to MSRT is Win32/Phorpiex , a worm that spreads via removable drives and has IRC controlled backdoor functionality. In most respects Phorpiex is another worm, with typical command and control via IRC as well as spreading via removable drives. Like many other malware it usually does this by using Autorun, copying itself to the removable drive and writing an "autorun.inf" file to ensure execution on access, assuming the system is configured to allow autorun...
  • An analysis of Dorkbot’s infection vectors (part 2)

    In part 1 of this series , we talked about Dorkbot and its spreading mechanisms that required user interaction. In this post, we'll talk about how Dorkbot spreads automatically, via drive-by downloads and Autorun files. Spreading vectors not requiring user interaction: Drive-by downloads and Autorun files Dorkbot can also spread automatically, without user interaction. We recently encountered a malicious Java applet that exploits the vulnerability described in CVE-2012-4681 to distribute the...
  • Another way Microsoft is disrupting the malware ecosystem

    Like it or not, in today’s world, online advertising plays a large and important role in supporting the web. Pay-per-click (PPC) advertising, born in 1998, created a system whereby advertisers only pay when potential customers click on an advertisement's link. This system allowed companies to target very specific market segments, better gauge sales campaign performance and to only pay for what was clicked. This helped drive demand for publishers. Publishers are those people with websites or...