Today we stumbled upon an interesting file. The file in question, " wrar380CorporateEdition.exe " (md5: f054f5a1bcb79098916c80b28e4f2bec), appears to be the install kit for the WinRar archiver. Upon closer inspection, it is actually a self-extract cab installer containing 2 files: "wrar380.Regged.exe" "Setup_ver1.1808.0.exe" When the installer is run, both files execute. While the file "wrar380.Regged.exe" is actually WinRAR, the other file is actually... malware. A closer look at "Setup_ver1...

According to several reports across the 'net, NASA revealed in a log report that a worm was discovered on some laptops aboard the International Space Station. The worm, known by some as Gammima which we call Worm:Win32/Taterf.gen!C , is at least a year old. NASA is known to perform experiments involving the order " Oligochaeta " whereas the Gammima worm does not thrive in the dirt. There is speculation on how exactly the computer worm arrived onto the lab laptops but as of yet, "mum's the word...

The latest version of the MSRT was released on the 8th of July. The newest family selected for inclusion was " Horst ". The Horst family is made up of a number of different components. Each of which, can perform different tasks. Tasks include downloading, malware distribution and email account registration by CAPTCHA bypass. Horst family variants have existed for a number of years, some of which appeared as early as 2004. Over the years, both the components and the techniques employed by the...

Just a few days ago we installed a new network protocol analyzer in our lab here in Dublin. It was late when the configuration was done so we just fired it up and let it run until the next day. After all we didn't expect to get much attention in the beginning. In a couple of hours, the first signs began to appear. Mainly there were port scans from zombies (a computer attached to the Internet that has been compromised by a hacker, or a malware program; generally, a compromised machine is only one...

Zlob has been around for quite some time now and it is still evolving rapidly. If we thought of Zlob as a car, it has gone through the equivalent of several overhaulings... Zlob constantly changes its decryption, obfuscation, and structure. As is our everyday routine, we were looking at several new variants of Zlob this morning and found this interesting message inside one of them: "I want to see your eyes the man from Windows Defender's team" It's the first time we've seen the Zlob writers include...

Email scams are a common way to spread malware and/or steal personal information. Some great guidelines to help you protect yourself from such scams are outlined here: http://www.microsoft.com/protect/computer/viruses/email.mspx We have recently found out about the latest in an ongoing string of email scams that target Microsoft customers. This particular scam contains the Backdoor:Win32/Haxdoor trojan as an attachment. We have seen a few emails targeting Microsoft customers that look like the...

(often known as "Antivirus 2009"). One night while browsing, a message box popped up asking me to do a "security scan". As a researcher, I wouldn't let this pass me by. After going through my opened tabs I narrowed down the culprit to a forum I had open at the time. "View Source" showed a 1x1 pixel IFRAME pointing to hxxp://***.info/users/***/1.php The position of this IFRAME is a little strange. It appears several times on the page, and each time right after the title of the forum. It appeared...

This month we added a family of rootkit-enabled trojans to MSRT - Win32/Rustock Win32/Rustock is a multi-component family of rootkit-enabled backdoor trojans, which were historically developed to aid in the distribution of 'spam' e-mail. First discovered sometime in early 2006, Rustock has evolved to become a prevalent and pervasive threat. Recently we've seen it associated with the incidence of rogue security programs. This might indicate that the Rustock family of trojans has gained some traction...

Why is malware that targets online games so prevalent these days? Why is there an interesting saying in China: "Trojan writers drive BMW" ("写木马, 开宝马")? The writers and distributors of trojans that steal passwords and account details from popular online games have been making huge profits. Why and how can they make huge profits from writing and distributing trojans that target online games? My paper " Playing with shadows - exposing the black market for online game password theft " presented...

Microsoft Authenticode® is a technology that can help ensure the source of code. It does not ensure that code is safe to run, but it can ensure that the code is associated with an entity in a trust chain. Since you should base your trust decision about code on whether you trust the source or not, Authenticode helps you with that decision by giving you more information about the source of code. You can find out more about it here: http://msdn.microsoft.com/en-us/library/ms537361(VS.85).aspx ...