This month, the MSRT team has added detection and removal for Zbot , one of the most widely known active botnets today. Although the malware itself is quite complex and varied, the technical acumen required to use and distribute it is actually quite low. Toolkits to create the malware are easily attainable and quite simple to use as the following screenshot shows. Underground forums are teeming with questions ranging from the very basics about configuring the malware to people boasting about...

When people in the industry talk about intentional obfuscation using virtual machines, (note that these are not the same virtual machines as Virtual PC or VMware, but rather it's a technical term that was in use long before these products came into existence), the two examples that are most likely to come to mind are VMProtect and Themida.  Both of them have been around since about 2004, only six years ago.   I'm trying to choose my terms carefully here, because by their nature, virtual...

If you play Halo, you probably know that the Recon Armor is a rare armor variant that is only available to the makers of Halo, Bungie, and players who have unlocked all Vidmaster challenges in previous versions of the game. With the recent release of Halo: Reach, a lot of users are looking for free means to get hold of this armor for their game play. Apparently, malware writers also took notice of this opportunity to distribute malware masking as code generators for the flaming recon helmet and Halo...

It’s been a busy year for Microsoft Security Essentials . As we observed right after the first week of release, Microsoft Security Essentials had already detected threats on over half a million computers. As Microsoft Security Essentials enters into its second year with over 31 million installations, 27 million of those computers have reported infections to the Microsoft Malware Protection Center (MMPC). As indicated by the chart below, the country with the most installations is the United...

A bit of research goes a long way as we’re going to prove in this blog post. Sometimes, as we'll see with TrojanDownloader:Win32/Camec.A , a little investigation reveals that a seemingly ordinary malware is in fact an exotic bird. The other day, we were analyzing what we thought was a run-of-the-mill trojan written in Visual Basic. Usually these are a dime a dozen since every script kiddie and Internet crook wannabe can get around copy and pasting pieces of code from the web to create a malicious...

A threat we call Trojan:MSIL/Fakeinstaller.A has been making the rounds lately. It is a slight deviation from the family of malware threats known as Trojan:Win32/Ransom . The malware is similar to Trojan:Win32/Ransom , which seizes control of the computer by locking the user's screen and then demanding a passcode from the user. The user receives the passcode only after sending an SMS to a premium number. This particular sample of Trojan:MSIL/Fakeinstaller.A (SHA1: 5a888391750c0efefe9dfc7dd63ed5b78f603ef9...

There have been a few recent incidents of what we previously thought was extremely rare - malware authors using code signing certificates that were issued to companies with good reputations. The high-profile Stuxnet incident included validly signed malware with misappropriated Authenticode certificates from two Taiwanese companies. More recently, it appears a US credit union lost its private key to malware authors who used it to sign some variants of Trojan:Win32/Tapaoux.A as well. It's still...

For this month, we added the Win32/FakeCog family to the Malicious Software Removal Tool (MSRT) release. FakeCog is another family of rogue applications that employ dubious methods to convince an unsuspecting user to install and buy their software. It tries to protect itself with code obfuscation and anti-emulation techniques to evade detection by security products. Some of the recent brand names that FakeCog has been known to use are "Defense Center", "Anvi Antivirus", "Protection Center" and...

Starcraft 2 is gaining popularity not only for gamers but also for malware writers. We wrote about Starcraft almost two months ago when it was first released. Now, apparently, it is also being used as part of a social engineering technique by a downloader family called Harnig. Harnig is employed by many other types of prevalent threats ( Bubnix , FakeSpypro , Koobface ) to download their malware into computers. We’ve seen a Harnig sample that is using the new release of Starcraft 2: Wings of...

We have some updated information for you regarding Worm:Win32/Visal.B , known as the "Here you have" worm (with a SHA1, a unique identifier for the threat, of 0x0BA8387FAAF158379712F453A16596D2D1C9CFDC) that we also blogged about yesterday. First, let us remind you of the two methods originally used by the worm to spread itself: It mass-emailed a link that pointed to malware, and it copies itself to local drives and network shares. The mass mailer takes advantage not only of local address lists...