Microsoft Malware Protection Center

Threat Research & Response Blog

Browse by Tags

  • Blog Post: An analysis of Dorkbot’s infection vectors (part 2)

    In part 1 of this series , we talked about Dorkbot and its spreading mechanisms that required user interaction. In this post, we'll talk about how Dorkbot spreads automatically, via drive-by downloads and Autorun files. Spreading vectors not requiring user interaction: Drive-by downloads and Autorun...
  • Blog Post: Analysis of the Eleonore exploit pack shellcode

    '​Eleonore ' is a malware package that contains a collection of exploits used to compromise web pages. When the compromised web pages are viewed via vulnerable systems, the exploit payload is run. Eleonore is purchased by an attacker from an underground website. The attacker then gains access to Internet...
  • Blog Post: A Technical Analysis on the Exploit for CVE-2011-2110 Adobe Flash Player Vulnerability

    On June 14, Adobe released updates and a security bulletin (APSB11-18) referencing attacks affecting Adobe Flash Player (versions 10.3.181.23 and earlier). These attacks have been observed as hosted on webpages containing malformed SWF files. We spent some time analyzing this Flash Player vulnerability...
  • Blog Post: Dead code walking

    Recently I had a moment to review a group of PDF exploit files. Many exploits use various tricks to obfuscate embedded JavaScript. I thought I could de-obfuscate the samples by throwing them into a sandbox environment and enjoying the beautified source code, but these samples required a different method...
  • Blog Post: A tangled web...

    The moment of infection, and the circumstances that lead to the introduction of malware to a system, are often not obvious. This short case study examines our observations and investigations into a particular example that illustrates a fairly typical method of compromise that is played out countless...
  • Blog Post: Nobel Prize site hacked, delivers malware

    Yesterday (Oct 26, 2010), MMPC researchers learned that the Nobel Peace Prize website " nobelprize.org " was hacked and users browsing the site using Firefox versions 3.5 and 3.6 may have received malware. The malware is delivered by way of a malicious JavaScript that exploits a vulnerability...
  • Blog Post: Have you checked the Java?

    Whilst working on our normal data pull and analysis for the Microsoft Security Intelligence Report ( v9 - released last week ), I embarked on a mini discovery mission on the exploit data that MMPC detects with our antimalware technology. Although the main focus of antimalware software is on traditional...
  • Blog Post: SIRv11: Putting Vulnerability Exploitation into Context

    As Vinny Gullotto, our GM blogged earlier in the week , the 11 th edition of the Security Intelligence Report (SIRv11) has been released. One of the new areas of research in this release is a study of the most prevalent kinds of vulnerability exploitation and how much of that exploitation is 0-day (short...
  • Blog Post: A technical analysis of Adobe Flash Player CVE-2012-0779 Vulnerability

    Recently, we've seen a few attacks in the wild targeting a patched Adobe Flash Player vulnerability. The vulnerability related to this malware was addressed with a recent patch released by Adobe on May 4th. On the Windows platform, Flash Player 11.2.202.233 and earlier is vulnerable. If you're using...
  • Blog Post: Slick links linked to slinky Winwebsec

    I received a spam email from a friend lately after which I immediately notified him of a potential malware infection.  He insisted his technician had taken care of the infection once and for all.  After I returned from my vacation I received another three spam mails from him.  This time...
  • Blog Post: Get gamed and rue the day...

    As we discussed last week , socially engineered threats are specially crafted threats designed to lure the eye and trick the mind - they look legitimate or benign, and in worst case, may take advantage of a trusted relationship, by utilizing a compromised account or familiar website. Social engineering...
  • Blog Post: Microsoft Safety Scanner detects exploits du jour

    We recently updated the Microsoft Safety Scanner - a just-in-time, free cleanup tool.  The new version adds support for 64-bit Windows systems and also allows for the download of the tool to run in non-networked systems such as those behind an air-gap network, those within an ISPs walled garden...
  • Blog Post: Embedded JavaScript in SWF

    In a blog published in November titled “ Explore the CVE-2010-3654 matryoshka “, we discussed a 0-day Shockwave (SWF) exploit that uses JavaScript to do malicious actions. In this blog, we discuss another advanced way SWF malware is combined with JavaScript only this time, without using a 0-day exploit...
  • Blog Post: Analysis of the CVE-2011-0611 Adobe Flash Player vulnerability exploitation

    About a month ago, we blogged about an Adobe Flash Player vulnerability ( CVE-2011-0609 ) that was actively exploited in the wild. That exploit was hidden inside a Microsoft Excel document. Over the weekend, a new Adobe Flash Player 0-day ( CVE-2011-0611 ) was reported by Adobe in a recent advisory ...
  • Blog Post: An interesting case of Mac OSX malware

    In June 2009, Microsoft issued security update MS09-027, which fixed a remote code execution vulnerability in the Mac version of Microsoft Office. Despite the availability of the bulletin (and the passage of time), not every machine is up to date yet – which is how nearly three years later, malware...