We recently discovered a sample that is trying to exploit the 0-day Adobe vulnerability tracked by CVE-2010-3654 . This sample is being distributed as a PDF file, and it has a lot of complicated steps before the final payload is executed. Analyzing this sample is like working your way through a matryoshka doll.   The analysis of this malware can be broken down into four steps: The PDF The shellcode …More shellcode, and The Portable Executable file 1 . The PDF The PDF file contains four malicious...

New rogue security programs seem to be popping up all the time, but when we dig a little deeper what we see is mostly just new variants of the same old rogues. Five months ago, we wrote about a rogue we call Win32/Fakeinit that used the name "Security Essentials 2010". We expected to see the "2011" version appear at some point, and here it is: Apart from the name, not much has changed. In fact, it still uses the same file name it used to, "se2010.exe". It seems even rogue creators have trouble...

We've seen a few rogue security programs use elements of legitimate security software in order to try to make themselves appear more authentic. It was inevitable that Microsoft Security Essentials would be the target of this kind mimicry. While some rogues have simply copied Security Essentials' name , others have gone further by imitating elements of the Security Essentials user interface. By far the most prevalent of these is Win32/FakePAV , which is this month's addition to the MSRT family list...

Facebook continues being a popular target for malware authors as we discover yet another family that uses this popular social network to propagate. The main component, which we detect as Trojan:Java/Boonana , is written in Java which gives it cross platform capability infecting Windows, Mac and Linux users. Trojan:Java/Boonana is sent via a link to a video to Facebook users. By clicking on the link, the user will be prompted to run the application “JPhotoAlbum”, which is a Java class inside a JAR...

At the recent Virus Bulletin 2010 Conference in Vancouver, BC, I made a presentation highlighting infection data collected from the Malicious Software Removal Tool and data collected from Microsoft Security Essentials in its first year. The presentation (coincidentally on the Security Essentials one year anniversary ), entitled " Observations and lessons learned from comparing point-in-time cleaning against real-time protection ", showed the MSRT as a baseline removal tool to keep the ecosystem clean...

Almost all major holidays are used by bogeymen (also known as cybercrooks) as an excuse to spread malware or spam using social engineering. This year is no exception, so we recommend that you be careful especially if you receive any Halloween themed emails -- even if it's from someone that you know. We've collected some examples that are already circulating and that you need to watch out for. 1. Happy Halloween We wish you a happy Halloween, but not in an email with a link that points to a...

Yesterday (Oct 26, 2010), MMPC researchers learned that the Nobel Peace Prize website " nobelprize.org " was hacked and users browsing the site using Firefox versions 3.5 and 3.6 may have received malware. The malware is delivered by way of a malicious JavaScript that exploits a vulnerability in Firefox. Mozilla is aware of the vulnerability and note that an update of the browser is pending. Microsoft provides protection against the malicious JavaScript as " Exploit:JS/Belmoo "...

Earlier this week (October 25), authorities in the Netherlands took action against one of the Win32/Bredolab botnets and person(s) who may be responsible for this threat as part of an investigation codenamed TOLLING- part of a larger project named TAURUS. This follows on the heels of similar efforts against Win32/Zbot by the Federal Bureau of Investigation’s Operation “Trident Breach” in partnership with international law enforcement agencies, operations in Spain and Slovenia against the Win32/Rimecud...

For those people who missed my presentation at Virus Bulletin this year, I co-presented on the topic of "proper" packer usage. The idea of a “proper” way to use packers is two-fold: (a) It reduces the prevalence of legitimate packers being used to pack malware. (b) It makes it easier to identify packers which exist only to pack malware. This is an industry-wide initiative, with backing from over a dozen security companies, including McAfee, Symantec, IBM, and Trend Micro...

The latest Microsoft Security Intelligence Report (SIR) dedicates a whole section to botnets and the role they play in today's world of malware, and for good reason - the pathways of the malware world are quickly merging into a botnet superhighway, a new conduit used for many nefarious purposes. If you compare the worldwide infection rate of computers cleaned per thousand ( CCM ) as detailed in the botnet section of SIR v9 with the general malware CCM, an interesting picture emerges.  By Q2...