Microsoft Malware Protection Center

Threat Research & Response Blog

February, 2014

  • Malicious Proxy Auto-Config redirection

    Internet banking credentials are a desired target for cybercriminals. They can be targeted with man-in-the-middle attacks or through password stealing trojans such as Fareit , Zbot or Banker . A less known, yet commonly found in South America and to a lesser extent in Russia, method to gain unauthorized access to a user’s banking credentials is through malicious Proxy Auto-Config (PAC) files. Normally, PAC files offer similar functionality to the hosts file, allowing IP/website redirection...
  • A close look at a targeted attack delivery

    For antimalware products, targeted attacks represent a very interesting class of malware. They are stealthy and only target specific organizations and industries - flying under the radar when it comes to identifying new malware files based on telemetry. The purpose of these attacks is most commonly to steal confidential and sensitive information by means of social engineering and unpatched, vulnerable software. We recently investigated a sample used in this kind of attack, Trojan:Win32/Retefe...
  • The MSRT in Action: Keeping systems safe

    In four days the January release of the Microsoft Malicious Software Removal Tool (MSRT) detected almost a million threats on PCs across the globe. In the video below, Dustin Childs and Joe Faulhaber explain what happened as the MSRT sprang into action.
  • A journey to CVE-2014-0497 exploit

    ​Last week we published a blog post about a CVE-2013-5330 exploit . We’ve also recently seen a new, similar attack targeting a patched Adobe Flash Player vulnerability ( CVE-2014-0497 ). The vulnerability related to this malware was addressed with a patch released by Adobe on February 4, 2014 . Flash Player versions 12.0.0.43 and earlier are vulnerable. We analyzed how these attacks work and found the following details. The malicious file has been distributed as a .swf file, which contains...
  • MSRT February 2014 - Jenxcus

    ​We have been seeing a lot more VBScript malware in recent months, thanks in most part to VBS/Jenxcus . Jenxcus is a worm coded in VBScript that is capable of propagating via removable drives. Its payload opens a backdoor on an infected machine, allowing it to be controlled by a remote attacker. For the past few months we have seen the number of affected machines remain constantly high. For this reason we have included Jenxcus in the February release of the Microsoft Malicious Software Removal Tool...
  • A journey to CVE-2013-5330 exploit

    ​Recently, we've seen a few attacks in the wild targeting a patched Adobe Flash Player vulnerability ( CVE-2013-5330 ). This vulnerability was addressed with a patch released by Adobe on November 12, 2013. On the Windows platform, Flash Player version 11.9.900.117 and earlier, are vulnerable. We had a chance to analyze how the attacks work and noted some interesting details from our investigation. The malicious file has been distributed as a .swf file using obfuscator secureSWF, which has...