The recent emergence of rogue security software applications for Mac demonstrates how cybercriminals effectively use social engineering techniques to manipulate users’ responses - specifically, exploiting user’s fear of revealing sensitive information such as credit card details. This scare tactic evidently works regardless of the platform.  While financial gain is primarily the motivation that drives elaborate schemes of Internet fraud, a threat that appears limited and specific to its target...

Nowadays, when people want to download software, they usually search for it using a search engine that leads them to a download site. But some software on these sites may be harmful. In China, more and more software package authors are using these download sites in a malicious way in order to make money. They add other unwanted software into the normal software package – this is called a "repack". Some time ago, one of our customers intended to download a web browser but instead downloaded...

Late last week, the MMPC officially launched its Facebook page and its Twitter account . From this Welcome page, you can read our latest blog posts, see our latest Twitter feeds, and find out what threats most affect your desktop. You can also download the latest Security Intelligence Report (SIR), which contains a wealth of information on the current threat landscape. We have great plans ahead for our Facebook page - this launch is only the start! So Like us , Follow us , and stay tuned...

The Malicious Software Removal Tool (MSRT) targets two prevalent families in this July 2011 release, Win32/Tracur and Win32/Dursg . Both families share common functionality that monitors user web search queries and redirects to a malicious URL to display advertisements or download more malware. It affects users of web browsers such as Internet Explorer , Firefox , Opera and Chrome . For instance, Win32/Tracur installs a browser helper object, or BHO, for IE to monitor web search queries. It also...

Would you like to know more about the MMPC, and how we protect computer users worldwide? We have released new versions of two whitepapers which describe how the MMPC operates, and provide an introduction to the antimalware technologies that the MMPC supports. The two new papers are: - Malware Research and Response at Microsoft : This paper discusses the evolving nature of malware and introduces the team of antimalware researchers in the Microsoft Malware Protection Center (MMPC), which helps keep...

In an effort to continue raising awareness about the Rustock botnet that was successfully taken down on March 16th, the Microsoft Digital Crimes Unit (DCU), the Microsoft Malware Protection Center (MMPC) and Trustworthy Computing released a new Special Edition Security Intelligence Report (SIR) today titled " Battling the Rustock Threat ". Our telemetry indicates that the bot network is now less than half the size it was prior to being taken offline. However, although our global detection results...

On June 14, Adobe released updates and a security bulletin (APSB11-18) referencing attacks affecting Adobe Flash Player (versions 10.3.181.23 and earlier). These attacks have been observed as hosted on webpages containing malformed SWF files. We spent some time analyzing this Flash Player vulnerability (described in CVE-2011-2110 ) and are providing some technical details of this in-the-wild exploit. The Shellcode The following steps describe how the SWF constructs the shellcode: The SWF downloads...

Recently while I was analyzing a bunch of samples packed by custom packers, one of them struck me as a bit different than any others I saw before. At first glance, the outer layer of packing is a UPX stub, which is commonly used in malware. Especially when combined with a custom packer, UPX can provide an excellent compression ratio. Since it's packed by UPX, I first unpacked it with a static unpacker and examined the dump. The heavily obfuscated code at the entry point easily leads me to think there...

This month's MSRT families included Win32/Rorpian (an autorun worm that exploits a vulnerability in shortcut files), Win32/Nuqel (another autorun worm that spreads via network drives, removable drives, and instant messaging programs) and Win32/Yimfoca . The last, Yimfoca, is a prevalent IM worm that uses common instant messaging applications and social networking websites to spread. It also affects security settings on the infected computer. Aside from stopping the Windows Update service and thus...

The bootkit malware Trojan:Win32/Popureb.E has made some changes in its code compared to previous samples (specifically, Trojan:Win32/Popureb.B), and now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way – by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys). The following steps describe the trick: It calls IoGetDeviceAttachmentBaseRef...