Microsoft Malware Protection Center

Threat Research & Response Blog

June, 2013

  • Viewing Vobfus infections from above

    Win32/Vobfus is a family of worms that spreads via removable drives and downloads other malware, and a family that is causing people a lot of pain lately. Vobfus was initially discovered in September 2009 and became prevalent with its use of the MS10-046 .LNK vulnerability . The .LNK vulnerability has also been used by Chymine , Sality , and Zbot , though it is no longer used by Vobfus. The name Vobfus comes from the characteristics that these worms are V isual Basic and obfus cated. Vobfus is...
  • Ad injection and you - how adware gets on your computer

    Are advertisements showing up in your browser (no matter whether you use Internet Explorer, Firefox or Chrome) on sites that you've never seen ads on before; or, do the ads seem different from what you've seen before? Your system might be affected by adware that injects advertisements into sites as you browse, such as Adware:Win32/InfoAtoms and Adware:Win32/Addlyrics . One of the biggest questions we get about these programs (besides how to get rid of them), is how did it get installed in the...
  • Investigation of a new undocumented instruction trick

    While investigating some new malware samples this week, we came across a few interesting files that use a new trick with an undocumented instruction. We had to do a bit of digging around the Intel instructions list to solve this little mystery. While it turned out that the trick itself isn't effective in complicating debugging and disassembly, we think it's worth sharing anyway, as we're now seeing three different malware variants using it. One of the samples flagged by our systems (SHA1:3d85cc93115c1ebfdeba17b54d6570e06c1bb2f5...
  • Another year, another rogue. Not what the doctor ordered

    Another new year is almost upon us. Or at least that's what the distributors of Rogue:Win32/Winwebsec would have us believe - releasing a new branding System Doctor 2014 just prior to the middle of 2013. Figure 1: System Doctor 2014 user interface For some time, Winwebsec has had only one branding active at a time. While there have been a number of name changes, the interface and behavior have otherwise remained mostly unchanged. System Doctor 2014 represents a departure from this, with...
  • Rise of the social bots

    ​Malware authors and distributors follow the money. When you consider the growing popularity of social networking websites, it should come as no surprise that malware continues to maintain its presence in this area. Every year we are spending a growing proportion of our time online using social media like Facebook, Twitter and YouTube. What does this mean for the malware ecosystem? Malware authors and distributors know that social networks don’t just connect people, they also instill...