Microsoft Malware Protection Center

Threat Research & Response Blog

Browse by Tags

  • Blog Post: Waledac Trojan Hosted by Fake Obama Website

    “Now that Inauguration Day is upon the US, malware authors have a new spate of social engineering tricks up their sleeve.” We've seen Barack Obama's name used by malware authors for malevolent purposes before, during the campaign and leading up to the US Presidential Elections. Now that Inauguration...
  • Blog Post: Phishing encounter while on vacation

    It was my first night in Beijing for a long-overdue vacation. I purchased a SIM card from the airport and sent SMS greetings to friends and family and other families in town. SMS is hugely popular and a main communication channel in China. Guess what? The first SMS I received was from a strange number...
  • Blog Post: Where's Waledac?

    The family added to the April MSRT release is Win32/Waledac . If you haven't heard of the family before, there is a chance you may have seen some of the spam generated by Win32/Waledac in your inbox. We've blogged about some of the spam campaigns in the past, such as Fake Obama or the Valentine Devkit...
  • Blog Post: Friendly spam carries Zbot

    ​This morning I spotted a few messages from my mobile carrier in my email inbox. This was not surprising as, only a few hours prior, I had logged into the carrier's website to pay the monthly bill. The standard mode of operation for my provider is to receive a bill via email, and a confirmation message...
  • Blog Post: MSRT November: Dofoil

    As previously noted , one of the three families added to the November release of the Microsoft Malicious Software Removal Tool is Win32/Dofoil . TrojanDownloader:Win32/Dofoil is a configurable downloader. Dofoil will attempt to receive control instructions from a remote server. The response contains...
  • Blog Post: Little Red Riding Hood or Big Bad Wolf? Your Sweetheart or Waledac?

    Valentine's Day is almost here. While your friends and loved ones are crafting their e-cards, malware authors are also releasing their annual love letters into the mix. Win32/Waledac started a bit early, we noticed it’s Valentine theme spam mails as early as January 26th. However, as Valentine's Day...
  • Blog Post: Cashing in on Conficker's Bad Name

    Over the last couple of days we've seen some spam claiming to be from Microsoft, providing a free scan to remove Conficker . Here's an example: The link actually takes you to a typical fake online scanner page used to serve up a rogue security scanner: In this case the page tries to get you...
  • Blog Post: MSRT February 2009 - Win32/Srizbi

    This month's MSRT takes on one of the largest botnets currently active worldwide – Win32/Srizbi . The Srizbi family of malware consists of trojan droppers and rootkits that often spread through spam e-mails containing download links to the malware. Much like its alleged close cousin Win32/Rustock...
  • Blog Post: Operation b107 - Rustock Botnet Takedown

    Just over one year ago, Microsoft- with industry and academic partners- utilized a novel combination of legal and technical actions to take control of the Win32/Waledac botnet as the first action in Project MARS (Microsoft Active Response for Security).   Today, a similar action has had its legal...
  • Blog Post: Doctor Who calling–on Skype, with malware

    Earlier this week, I received a phone call via Skype on my laptop, the caller’s ID was “ dralerthelpzc8 ” as in Dr Alert Help ZC8 . The voice on the other end was automated, computerized and otherwise non-human, and alerted me that I had a virus that affects Windows Vista, Windows XP and Windows 7 and...
  • Blog Post: MSRT on CAPTCHA breaking malware

    A CAPTCHA (IPA: /ˈkæptʃə/) is a type of challenge-response test used in computing to ensure that the response is not generated by a computer. The process involves one computer (a server) asking a user to complete a simple test which the computer is able to generate and grade. Because other computers...
  • Blog Post: Trojan downloader Chepvil on the UPSwing

    A new spam campaign using UPS (United Parcel Service) as a social-engineering draw was initiated this week. The spammed message contains an attachment, detected as TrojanDownloader:Win32/Chepvil.I . The spam campaign actually started around March 16th 2011. The threat was originally detected as Backdoor...
  • Blog Post: Slick links linked to slinky Winwebsec

    I received a spam email from a friend lately after which I immediately notified him of a potential malware infection.  He insisted his technician had taken care of the infection once and for all.  After I returned from my vacation I received another three spam mails from him.  This time...
  • Blog Post: O Come All Ye Malware

    Well, after our last post, it certainly didn't take long to see some examples of festive malware from the wild. (You'd almost think that we've seen this kind of behavior before - again and again and again...) In the last couple of days, we (and other AV vendors) have observed the arrival of several new...
  • Blog Post: Email Scam Targets Microsoft Customers

    Email scams are a common way to spread malware and/or steal personal information. Some great guidelines to help you protect yourself from such scams are outlined here: http://www.microsoft.com/protect/computer/viruses/email.mspx We have recently found out about the latest in an ongoing string of email...
  • Blog Post: MSRT January ‘11: Win32/Lethic

    Win32/Lethic is a trojan that communicates with a remote server to distribute spam. Variants of Lethic install executable files with varied file names such as “ shelldm.exe ” or “ xcllsx.exe ”. The malware loads as a process when Windows starts. The trojan establishes a connection to remote servers using...
  • Blog Post: Scam emails - the cost of response

    Recently, I received an email in my personal inbox with a subject line “MYSTERY SHOPPER ASSISTANT“ (the message did not filter to my junk folder and was not marked as spam). Image 1 – “Mystery shopper assistant” spam I’m familiar with the hobby of mystery shopping – a service provided under contract...
  • Blog Post: Insights into Win32/Bradop

    Have you heard of Win32/Bradop? We recently investigated this interesting data theft family in more detail and exposed some of its inner secrets. The following is a description of what we found out. Spoiler alert: spam emails, protectors, the download mechanism, database credentials, stolen data, and...
  • Blog Post: Spam - What the Doctor Ordered?

    Periodically I'll glance into my spam folder within Outlook and see if the messages there deserve this somewhat final resting place. I spotted a number of messages that have a very similar pattern in the message body when viewed in plain-text mode - see if you can spot the pattern too... c'mon, it'll...
  • Blog Post: Where is Waledac - Episode II

    The Spambot Whilst Win32/Waledac is probably best known for the ability to send spam, it can also download and execute arbitrary files. In addition to using this downloading mechanism to update itself, Waledac can also download other malware. The MMPC has observed the download of Trojan:Win32/FakeSpypro...
  • Blog Post: Stratfor customers targeted by cybercriminals

    Cybercriminals are continuing to use a social engineering trick to lure users for their malware campaigns. This time, they targeted customers of Stratfor - a subscription-based provider of geopolitical analysis. Attacks against Stratfor clients began after a reported breach of their customer database...
  • Blog Post: 4th of July Greetings

    Aside from the Storm Worm , a new 4th of July malware is currently being spammed around. Below is a sample of the greeting card mail: Clicking on the link will not lead you to greetings.com but rather to a malware download site with a filename july.exe It turns out the july.exe is another IRC backdoor...
  • Blog Post: Analysis of the CVE-2011-0611 Adobe Flash Player vulnerability exploitation

    About a month ago, we blogged about an Adobe Flash Player vulnerability ( CVE-2011-0609 ) that was actively exploited in the wild. That exploit was hidden inside a Microsoft Excel document. Over the weekend, a new Adobe Flash Player 0-day ( CVE-2011-0611 ) was reported by Adobe in a recent advisory ...
  • Blog Post: Closing In on Open Relay Mail Servers

    About four months ago some new colleagues in the security business arrived in our Dublin office. They are part of Microsoft Anti-spam team and it is our pleasure to have them here :) The Dublin Spam team recently told us that almost every week, Microsoft Forefront Online Security for Exchange is filtering...
  • Blog Post: Merry Malware - You’d better watch out, you’d better think twice…

    With visions of sugarplums dancing through my head constantly from around September onwards, I eagerly (and somewhat obsessively) await the festive season every year. As heralded by my son opening the first box on his advent calendar this morning to liberate the toy hidden within, as far as I am concerned...