Microsoft Malware Protection Center

Threat Research & Response Blog

Browse by Tags

  • Blog Post: MSRT January 2014 – Bladabindi

    This month the Malicious Software Removal Tool (MSRT) includes a new malware family - MSIL/Bladabindi . An interesting part of this family is that the author made three versions of this RAT, written in VB.NET, VBS and AutoIt. The malware builder is also publically available for download. Because of...
  • Blog Post: Korean gaming malware - served 3 ways

    Recently, we’ve seen similar activities being performed by different malware that monitor online Korean applications. Mostly, the applications they monitor are card games, such as those in Figure 1. Figure 1: Examples of online Korean games that are being monitored. (Source: http://www.hangame...
  • Blog Post: Easy Money: Program:Win32/Pameseg (part one)

    Nowadays many people believe in the opportunity to achieve great wealth without much effort, not leaving the house, not interrupting their favorite computer games, forums, social networking and so on. This type of opportunity is widely marketed by companies providing paid digital content services. You...
  • Blog Post: Obfuscating, bifurcating, escalating and mitigating on 64-bit

    With the growth in adoption of 64-bit architectures and associated operating systems, we're seeing the usual malicious suspects following the trend. We have seen variants of several families, including Alureon , Koobface , Sirefef and Ursnif targeting this platform. These families adopt various techniques...
  • Blog Post: Keep your Facebook friends close and your antivirus closer

    Facebook malware attacks are not new. Scams spreading via status updates have been around for a long time, but in recent weeks one threat has been getting creative in terms of social engineering. Backdoor:Win32/Caphaw.A can intercept URL requests in both Firefox and Internet Explorer and it has been...
  • Blog Post: All copy and paste makes Jack a bored boy

    We recently came across what appeared to be a new sample, but was actually part of malware discovered in 2010. This new-old sample is built from publicly available source code and, like many of its kind, is frequently rebranded. Because of all the changes that malware authors have made, we have detection...
  • Blog Post: How to defang the Fake Defragmenter

    We are tracking the trails of this fake " System Defragmenter " software since its first appearance last October 2010, and have warned our customers in our earlier post about this trojan software. In this follow-up post, we give an update including a new variant worth noting for our customers...
  • Blog Post: An analysis of Dorkbot's infection vectors (part 1)

    Malware nowadays benefits from the complexity of the Internet ecosystem to infect new computers through vectors such as browser plugins, social networks, and instant messaging programs. In this two-parter series, we'll look at Worm:Win32/Dorkbot, a prevalent worm with the capabilities of an IRC backdoor...
  • Blog Post: Backdoor Olyx - is it malware on a mission for Mac?

    The recent emergence of rogue security software applications for Mac demonstrates how cybercriminals effectively use social engineering techniques to manipulate users’ responses - specifically, exploiting user’s fear of revealing sensitive information such as credit card details. This scare tactic evidently...
  • Blog Post: Don't fall for Folstart

    We use thumb drives in different ways – usually to transfer files from one computer to another. When we create folders in thumb drives, we have a certain level of confidence that the folder isn't malicious or doesn't contain malware. Unfortunately, this assumption is not always true. For the month...
  • Blog Post: An analysis of Dorkbot’s infection vectors (part 2)

    In part 1 of this series , we talked about Dorkbot and its spreading mechanisms that required user interaction. In this post, we'll talk about how Dorkbot spreads automatically, via drive-by downloads and Autorun files. Spreading vectors not requiring user interaction: Drive-by downloads and Autorun...
  • Blog Post: ELAM Is Black and White

    At the Virus Bulletin conference this year, there was a talk about the limitations and suggested enhancements for the Early Launch Anti-Malware (ELAM) environment. The main observation, complaint if you will, was that there is no way for an anti-malware (AM) engine to perform a deep scan. However, there...
  • Blog Post: Mobile threats on the desktop

    The MMPC has been routinely monitoring threats (via the desktop) that affect different mobile platforms such as Symbian, Java ME, Android, RIM, iOS and Windows Mobile. One of the increasingly common ways we see mobile devices being compromised is by allowing the user to download and install applications...