Computer users around the world are increasingly accustomed to managing their bank accounts, paying their bills and performing other activities online. The use of technology to manage finances has long been a target of attackers, and malware authors continue to create scams that try to persuade potential victims to provide access to their valuable personal information, including logon credentials for online accounts. Trojan:Win32/Reveton.A is a recent example of malware that attempts to phish these...

We included three threat families in the April edition of the Microsoft Malicious Software Removal Tool - Win32/Claretore , Win32/Bocinex and Win32/Gamarue . In this post, we discuss Win32/Claretore. The earliest reported variant in this family can be traced back to November 2011. Claretore is a trojan that injects itself into running processes to intercept browser traffic and redirect the browser to an attacker-defined URL. It also sends information about the affected computer to a remote server...

We have discussed in the past our collaboration with external parties to combat botnet threats to further the betterment of the Internet, such as Operations b49 , b107 and b79 . This week, Microsoft has partnered with security experts and the financial services industry on a new action codenamed Operation b71 to disrupt some of the worst known botnets using variants of the notorious Zeus malware (which we detect as Win32/Zbot ). Due to the complexities of these targets, unlike Microsoft’s...

Recently at CanSecWest 2012, we presented on the technology we use for analyzing malicious samples and PoC files. As malware often actively attempts to exploit software vulnerabilities these days, understanding the internals of these vulnerabilities is essential when writing defense logic. Out of the many methods that can be used for vulnerability analysis, we presented a method that uses dynamic binary instrumentation and data flow analysis. Dynamic binary instrumentation and data flow analysis...

In this post, we explore a telemetry spike in Java/OpenConnection and CVE-2011-3544 exploit activity. While reviewing user feedback from the Microsoft Malware Protection Center recently, we noticed an unprecedented amount of feedback on one particular Java/OpenConnection variant -- TrojanDownloader:Java/OpenConnection.PK . Such interest in this type of Java applet-based exploit is quite unusual, and prompted us to investigate further. A signature for this threat was introduced on February 22...

Recently we received a few samples that exploit the latest patched JRE (Java Runtime Environment) vulnerability. These samples are kind of unusual to see, but they can be used to develop highly reliable exploits. The malicious Java applet is loaded from an obfuscated HTML file. The Java applet contains two Java class files - one Java class file triggers the vulnerability and the other one is a loader class used for loading. The vulnerability triggering class is actually performing deserialization...

The last two years have seen an increase in malware which takes control of, and holds hostage an infected machine, locking the user out until a payment of some form can be extorted. This threat type is also known as 'ransomware'. Various tactics have been used by the malware writers in an attempt to intimidate users into paying a ransom in order to get back control of an infected machine. We wrote a blog post last December that describes malware extortion tactics, here . Scare tactics include...

In a previous post , we discussed Win32/Dorkbot , one of the major threat families included in the March 2012 release of MSRT. In this post, we discuss the other inclusions, Win32/Hioles , Win32/Pluzoks and Win32/Yeltminky . Win32/Hioles Similar to last month's focus on Win32/Pramro , Win32/Hioles is another trojan that resides on the computer and functions as a proxy server. The first variant was identified in mid-2011. One popular infection vector for the malware is via spammed messages containing...

This month, the MMPC added Win32/Dorkbot to the Microsoft Malicious Software Removal Tool along with detections for the threats Win32/Hioles , Win32/Pluzoks and Win32/Yeltminky . Win32/Dorkbot is described as an IRC-based botnet and a worm, a backdoor with rootkit capability and a password stealer. Despite using a very simple IRC protocol to communicate with the command and control (C&C) server, it was able to build a substantial installation base after a couple of years in operation. Some...

The other day, while previewing messages in my inbox, I saw a conspicuous message with the following parameters, typos included: To: (email address) CC: (email address),... Subject: Your ex sent me this pciture of you. Body: Hey (email address), Your ex sent me this picture claiming it's you. Is it really so? You probaly should see a doctor:) They can cure it now:). Attachment: " Photo.zip " ​ The attached file is a ZIP archive that contains an executable file named " IMG04958.exe " ( SHA1...