Microsoft Malware Protection Center

Threat Research & Response Blog

May, 2013

  • Browser extension hijacks Facebook profiles

    We have received reports about a wave of malicious browser extensions trying to hijack Facebook profiles. This threat was first discovered in Brazil. We detect it as Trojan:JS/Febipos.A . The malware is a malicious browser extension specifically targeting Chrome and Mozilla Firefox. When installed, it attempts to update itself using the following URLs: Chrome browser: du-pont.info/updates/<removed>/BL-chromebrasil.crx Mozilla Firefox browser: du-pont.info/updates/<removed>...
  • No paysafecard needed, your passwords will pay off

    The past year has been one of expansion for ransomware. Throughout 2012 an increasing number of blogs, tutorials and discussion forums were written to help people gain access to ransomware-locked computers without paying the ransom. The authors of Reveton ransomware are aware that the persistence of their malware on a system is not only narrowed by an antivirus product, but also the computer user who tries to remove the threat. Not every infection is going to result in a paid ransom, so the Reveton...
  • The Wonder of Sirefef Plunder

    Sirefef , also known as ZeroAccess, is a malware platform for receiving and running malware modules. Two prominent modules generate revenue for the cyber criminals, by mining for bitcoins and perpetrating click-fraud. Click-fraud is the deliberate misappropriation of ad revenue by generating online clicks that don’t originate from a potential customer or the rightful publisher. Click-fraud is lucrative and a relatively easy way for cyber criminals to monetize their malware and/or launder...
  • Windows 8 and Keygens

    ​As we first reported in the Microsoft Security Report Volume 13 , Keygens have become the number one threat reported by users of Microsoft antimalware products. The research also indicates that 76 percent of users that downloaded Keygen or software cracks were also exposed to other, more dangerous malware. Keygens are typically not very dangerous on their own. However, malware authors are having great success using deceptive downloads that either pretend to be Keygens or contain them as well...
  • CVE-2012-1876: Recent update to the Cool Exploit Kit landing page

    A recently debuted exploit kit (EK), called "Cool EK," and detected by us with the name Exploit:JS/Coolex , has been known to include various exploits targeting Oracle JRE, Adobe Reader, Adobe Flash Player to Windows kernel-mode drivers. If you’re unlucky enough to visit a webpage that hosts Cool EK, you might encounter all these exploits in the one place, turned against you in a barrage designed to compromise your computer. Recently there was an update to the kit’s armaments to include...
  • Updated data shows prevalence of Java malware in 2012

    Recently we released the Microsoft Security Intelligence Report volume 14. The report initially presented data showing reduced Java malware detections in Q3 2012 and gaining prevalence in Q4 of 2012. During a later review of the backend data, we found that we were missing some detection counts from our initial calculations. We have revised the data, and Figure 1 shows the updated graph. Figure 1 Machine count of detections for each exploit categories From Figure 1, what we can see...
  • How easily USteal my passwords

    Bundling malware and legitimate software on unofficial download websites is an effective way of tricking users into running malicious files. We often see keygens, hacktools and game trainers bundled with trojans and posted on forums or as comments under videos. I recently analyzed a file that claimed to be a game tool used for customizing Dota2, a multiplayer online battle arena video game developed by Valve Corporation. The tool was made by a third party and offered for free download online....
  • Don't pay the rogue, scan with MSRT

    ​We added three new families to this month’s Malicious Software Removal Tool (MSRT): Win32/FakeDef , Win32/Vicenor , and Win32/Kexqoud. In this blog, we will talk about the rogue antivirus family Win32/FakeDef. It’s not a big player in rogues’ world, but it holds its own unique characteristics. We found this family in the wild in December 2012. Initially it was pushed to a victim's machine by Win32/Fareit variants. This means machines where Win32/FakeDef is found may also be...
  • New whitepaper: Evaluating Microsoft's protection performance and capabilities

    In order to evaluate the performance of their protection provider, customers need to rely on information that goes beyond what external certifications and comparative tests can provide. Today we’re releasing a whitepaper, called " Evaluating Microsoft’s protection performance and capabilities ," that we believe will help customers with these evaluations. The whitepaper describes the measurements we use to track our effectiveness across quality, customer experience, and protection coverage...
  • Microsoft’s proactive fight against cybercrime

    The Microsoft Malware Protection Center (MMPC) is committed to protecting our customers from malicious software and disrupting the malware ecosystem. To achieve these goals, we forge partnerships with internal and external teams. One such team, Microsoft Digital Crimes Unit (DCU), has expanded their partnerships to include the National Institute of Communication Technologies (INTECO) of Spain. This organization is one of the first to utilize live botnet data feeds from the new Azure-based Cyber...