Following up on the blog post that our friends in the Microsoft Security Response Center posted a few weeks ago, we wanted to share the results from the April edition of MSRT. As part of our ongoing updates to families already in MSRT, we have added support for more variants of the Win32/Alureon rootkit/infector, including the ones responsible for the issues widely reported with Microsoft Security Bulletin MS10-015 . Below is a summary of the Alureon cleaning using MSRT in April: Variant...

The eighth volume of the Microsoft Security Intelligence Report is going live today. Inside, you’ll find 248 pages of in-depth information about malware, spam, malicious Web sites, vulnerabilities, and exploits that are relevant to the Windows platform. This volume contains a new Mitigation Strategy section that provides collective advice and best practices from our own Microsoft IT organization along with other security experts from all around Microsoft. We’ve also greatly expanded our international...

There have been many instances where a virus infects an unintended target; this time it's a variant of Virus:Win32/Huhk. As the name indicates, this virus usually attempts to infect x86 PE files. I came across a sample which contains the virus code, but there was something different about it... Yes, the infected file is a Windows CE binary for the ARM architecture. When virus writers don't perform more than the basic checks such as ensuring the file is a windows executable: we end...

Well kids it’s that time of the month again; MSRT Tuesday! Continuing the trend on from last month , the target du jour is password stealers that target online games (we like to do these things in groups you see). Our motif for this month is a lovely shade of grey I call ‘password stealer’, with juxtapositions of process injection, with a penchant for passwords of the online game variety; but of course we are referring to PWS:Win32/Magania , mon ami. Win32/Magania is another delivery mechanism...

Last February, our colleague Chun blogged about trojanDownloader:Win32/Chekafe.A, which checks if the system is in an Internet Cafe and if so, downloads password-stealing trojans related to MMORPG online games. Now, we look deeper into one of the downloaded trojans, which is PWS:Win32/OnLineGames.GP (example SHA1: 935c02f86ed1212237a6a78801f41eb4a43d9ade). PWS:Win32/OnLineGames.GP, just like other password-stealing trojans, monitors certain processes related to MMORPG online games in order to...

On March 9, Microsoft started investigating reports of targeted attacks using a previously undisclosed vulnerability (CVE-2010-0806) affecting Internet Explorer 6 and 7 (Internet Explorer 8, Windows 7, and Windows Server 2008 R2 are not susceptible). As a member of the Microsoft Active Protections Program (MAPP), the MMPC and other members received information about the vulnerability and immediately deployed protection for our customers. We’ve been tracking exploit attempts against this vulnerability...

Today we are going to take a closer look at bots and botnets. On the black market, selling bots and botnets is quite profitable, which makes creating them a popular activity for criminals. It helps that bot sources and creation kits are available on the Internet, allowing even script kiddies to create their own botnets. Another reason bots get created is that some people who get bored in their daily lives tend to do things that in their opinion might earn them respect or admiration in front of their...

Recently, following an investigation to which various members of the MMPC contributed, Microsoft’s Digital Crimes Unit initiated a takedown of the Waledac botnet in an action known as Operation b49 , an ongoing operation to disrupt the botnet for the long term. The takedown also marked a new phase of exploration in combating botnets, which we call Project MARS (short for Microsoft Active Response for Security). While it is still too early to know the entire scope of this particular takedown's impact...

PWS:Win32/Zbot a.k.a Zeus/WSNPoem is a password-stealing trojan that monitors for visits to certain Web sites. It allows limited backdoor access and control and may terminate certain security-related processes. In our collection, although we have some Win32/Zbot malware toolkit/builder samples that date back to the 1st quarter of 2008, we already received and created detections for a number of Win32/Zbot samples from earlier - as early as the last quarter of 2006 (an early SHA1 is 006227158415078de14b4fe889dfe8dedfcf4e0b...

Back in August 2009 we added a rogue called Win32/FakeRean to the list of families removed by MSRT. At the time, I wrote about how it used several different names, like Home Antivirus 2010 and PC Antispyware 2010, which all looked pretty much the same. This is a trick used by most modern rogues; I covered it in some detail in my presentation at Virus Bulletin conference last September. Alongside the use of different names, we've seen some rogues introduce different versions for different operating...