Microsoft Malware Protection Center

Threat Research & Response Blog

Browse by Tags

  • Blog Post: Waledac Trojan Hosted by Fake Obama Website

    “Now that Inauguration Day is upon the US, malware authors have a new spate of social engineering tricks up their sleeve.” We've seen Barack Obama's name used by malware authors for malevolent purposes before, during the campaign and leading up to the US Presidential Elections. Now that Inauguration...
  • Blog Post: Now I've Seen It All (Maybe)

    I've been coding anti-virus routines for 1, 2, 5... 10, 15, 20... a really long time. Starting with the Apple II, before there was even an anti-virus industry, and continuing on the PC (and funnily enough, joining the industry wasn't the obvious choice for me when I left school). In between times, I...
  • Blog Post: What we know (and learned) from the Waledac takedown

    Recently, following an investigation to which various members of the MMPC contributed, Microsoft’s Digital Crimes Unit initiated a takedown of the Waledac botnet in an action known as Operation b49 , an ongoing operation to disrupt the botnet for the long term. The takedown also marked a new phase of...
  • Blog Post: A Few Quiet Days… and a New Exploit of MS08-067 Has Been Identified

    April 1st is behind us and nothing really happened with Conficker . But it is never boring in the antimalware world. We have found a new exploit of MS08-067 other than Conficker. We also discovered that we already detected and protected users against this new malware. We added information about mitigations...
  • Blog Post: Online Game Password Stealers Riding with 0-day DirectShow Exploits

    On May 28, our colleagues at The Microsoft Security Response Center released advisory 971778 which elaborated on a new vulnerability in Microsoft DirectShow effecting Windows 2000, Windows XP and Windows Server 2003. You can obtain more details on how to protect your environment from this vulnerability...
  • Blog Post: My Favourite Time of the Year

    It's when a VX group folds, and it has happened again. Twice, even. The day before the "much anticipated" ;-) EOF-DoomRiderz-rRlf group zine was released, rRlf announced that they were disbanding. This is something that we could have guessed anyway, based on the comment in Latin that was posted on their...
  • Blog Post: Vundo Employs Worm Behavior

    Vundo is a malware family that doesn't need any introduction. It was one of the families added into the MSRT and remains in the top 10 detections every month. It is commonly reported as a nuisance due to the incessant popups that it delivers to the user desktop--mostly related to rogue programs; slowing...
  • Blog Post: The Cost of Free $oftware (part 2)

    After we tracked down one of the sources for the Zlob trojan as a free torrent download, we decided to see exactly how deep the rabbit-hole goes. So we checked the newest uploads and saw another package for the latest version of WinRAR (3.80). It had just been uploaded so we decided to see if it really...
  • Blog Post: The new IE exploits for Advisory 961051, Now Hosted on Pornography Sites

    Two days ago, we blogged about attacks that involve exploits of the recently discovered vulnerability in Internet Explorer. We would like to give you a quick update about these attacks. Based on our stats, since the vulnerability has gone public, roughly 0.2% of users worldwide may have been exposed...
  • Blog Post: Detection Added For The New 0-day In Excel

    The MSRC released an advisory about 0-day exploits in Excel and they also have blogged about it. These exploits currently are being used for targeted and limited attacks. We released definition 1.51.1105.0 today to help protect customers against these attacks and the detection name is Exploit:Win32/Evenex...
  • Blog Post: Current Events Spark Round of Malware

    Attackers are busy monitoring current events so they can distribute malware that appears relevant, such as sending spam message containing links to malware with contextual references to the 2008 Olympics in Beijing, or other current events. We recently began receiving reports of a new spam run with...
  • Blog Post: Happy Birthday USA! (The Waledac way)

    Since Independence Day just passed, this probably looked appealing for the Waledac guys to drops us another campaign. The Waledac malware family is known for using special and recent events to try to increase their chances of infecting computers. We’ve blogged about past Waledac spam runs in the past...
  • Blog Post: The Low-Down on Daonol

    A relatively new trojan has been making the rounds and causing some problems, particularly on Windows XP systems. Trojan:Win32/Daonol is malware which hooks various system calls in order to steal credential information and redirect some Web traffic. It also protects itself by keeping some security-related...
  • Blog Post: Scanti-ly Clad - Another Rogue Stripped by MSRT

    Anyone who’s seen a system infected by a rogue security program doesn’t need to be told how annoying they can be, as they attempt to scare, threaten, cajole, hector, harangue, pester, aggravate, intimidate, badger, harass and generally nag* the user into paying to register the fake software. And even...
  • Blog Post: Win32/Slenfbot - Just Another IRC bot?

    This month we added a new family of malicious IRC bots to MSRT - Win32/Slenfbot . IRC bots were all the rage a couple of years ago but have dropped off a little in recent times. In general, malware has both diversified and become more specialised, with many bad guys using custom communications protocols...
  • Blog Post: Where's Waledac?

    The family added to the April MSRT release is Win32/Waledac . If you haven't heard of the family before, there is a chance you may have seen some of the spam generated by Win32/Waledac in your inbox. We've blogged about some of the spam campaigns in the past, such as Fake Obama or the Valentine Devkit...
  • Blog Post: MSRT and an Update of Worms in the Wild

    On April 14th, Microsoft released the latest update to the Microsoft Malicious Software Removal Tool . This month as you know from Scott Molenkamp’s blog post , we added Win32/Waledac . In fact, of the top 5 families, worms make up 3 of the slots: Win32/Taterf , Win32/Frethog , and Win32/Koobface . ...
  • Blog Post: Radio-Frequency Identification devices, is infection a reality? (Part 2 - Hardware)

    An RFID system is based around a reader and a tag. A tag stores information, whereas an RFID reader retrieves or modifies information stored on the tag. To transmit this information through the air, both devices use high frequency electric current oscillations (the frequency of such current oscillations...
  • Blog Post: I can’t go back to yesterday - see you in Geneva

    At last year’s VB conference, my talk “ Playing with shadows - exposing the black market for online game password theft ” discussed malware being sold on the black market for password stealing purposes. During the “Q & A” time, someone asked a question regarding the technical details of Dogrobot...
  • Blog Post: SQL Injection - New Approach for Win32/FakeXPA?

    (often known as "Antivirus 2009"). One night while browsing, a message box popped up asking me to do a "security scan". As a researcher, I wouldn't let this pass me by. After going through my opened tabs I narrowed down the culprit to a forum I had open at the time. "View Source" showed a 1x1 pixel...
  • Blog Post: New 0-day Exploits Using PowerPoint Files

    The Microsoft Security Response Center has released Advisory 969136 today about a vulnerability in Microsoft Office PowerPoint which is being exploited in the wild. Office 2000, Office XP, Office 2003 and Mac Office are vulnerable however the latest version, Office 2007, is not. The Microsoft SRD blog...
  • Blog Post: MMPC Encyclopedia Top 5: More Bancos

    The following is a list of our top five most commonly viewed encyclopedia pages last month: TrojanSpy:Win32/Bancos.gen!A Program:Win32/Antivirus2008 Trojan:Win32/Vundo.gen!H Win32/Vundo Win32/Virtumonde The trends appear quite similar to the month prior: the most popular encyclopedia...
  • Blog Post: Dead code walking

    Recently I had a moment to review a group of PDF exploit files. Many exploits use various tricks to obfuscate embedded JavaScript. I thought I could de-obfuscate the samples by throwing them into a sandbox environment and enjoying the beautified source code, but these samples required a different method...
  • Blog Post: Win32/Yektel - the Other Kind of Rogue

    In addition to Win32/FakeXPA we added another rogue-related malware family to MSRT this month - Win32/Yektel . Win32/Yektel is a different kind of rogue. Like other rogues, it displays fake warnings about possibly malware or spyware, but rather than pretending to be a security product itself, it tries...
  • Blog Post: Bugging the Debuggers

    No-one who knows what they're talking about would say that writing a debugger is easy. It's certainly made harder when the platform offers so many opportunities for things to go wrong. Here are two examples. CreateToolhelp32Snapshot This function was introduced to the Windows NT-line in Windows...