Microsoft Malware Protection Center

Threat Research & Response Blog

Microsoft Malware Protection Center

  • Microsoft Digital Crimes Unit disrupts Jenxcus and Bladabindi malware families

    ​Today, following an investigation to which the Microsoft Malware Protection Center (MMPC) contributed, the Microsoft Digital Crimes Unit initiated a disruption of the Jenxcus and Bladabindi malware families. These families are believed to have been created by individuals Naser Al Mutairi, aka njQ8, and Mohamed Benabdellah, aka Houdini. These actions are the first steps to stop the people that created, distributed, and assisted the propagation of these malware families. There are more details...
  • Febipos for Internet Explorer

    In a previous blog post we discussed Trojan:JS/Febipos.A , a malicious browser extension that targets the Facebook profiles of Google Chrome and Mozilla Firefox users. We recently came across a new Febipos sample that was specifically developed for Internet Explorer - we detect it as Trojan:Win32/Febipos.B!dll . This trojan is a browser helper object that loads a JavaScript to Internet Explorer. We detect the loaded JavaScript as Trojan:JS/Febipos.E . The plugin tries to look legitimate by calling...
  • Creating an intelligent “sandbox” for coordinated malware eradication

    ​Hello from China where I am presenting on coordinated malware eradication at the 2014 PC Security Labs Information Security Conference . Coordinated malware eradication was also the topic of my last blog . I said the antimalware ecosystem must begin to work with new types of partners if we are going to move from the current state of uncoordinated malware disruption , to a state of coordinated malware eradication . Since then we’ve been talking about these ideas at conferences around the...
  • A close look at a targeted attack delivery

    For antimalware products, targeted attacks represent a very interesting class of malware. They are stealthy and only target specific organizations and industries - flying under the radar when it comes to identifying new malware files based on telemetry. The purpose of these attacks is most commonly to steal confidential and sensitive information by means of social engineering and unpatched, vulnerable software. We recently investigated a sample used in this kind of attack, Trojan:Win32/Retefe...
  • A journey to CVE-2014-0497 exploit

    ​Last week we published a blog post about a CVE-2013-5330 exploit . We’ve also recently seen a new, similar attack targeting a patched Adobe Flash Player vulnerability ( CVE-2014-0497 ). The vulnerability related to this malware was addressed with a patch released by Adobe on February 4, 2014 . Flash Player versions 12.0.0.43 and earlier are vulnerable. We analyzed how these attacks work and found the following details. The malicious file has been distributed as a .swf file, which contains...
  • Turkey: Understanding high malware encounter rates in SIRv15

    In our most recent version of the Security Intelligence Report (SIRv15) , we compared the encounter rates of malware categories for the top 10 countries with computers reporting the most detections in 2Q13. Amongst these countries, Turkey stood out with considerably high encounter rates in multiple categories. Encounter rate is the percentage of computers in a country that reported at least one detection of malware. Figure 1. Threat category prevalence worldwide and in the 10 locations with...
  • PC health – Part 1: Information stealing malware

    When we were building Windows 8, MMPC partnered with several teams in Microsoft to start the PC Health program. The PC health program has two goals: To inform and guide customers on additional actions to take when malware might have put their information at risk To monitor the health of PCs running our antimalware products and initiate remediation as required We’ll discuss the PC health program in this two-part blog. Part 1 focuses on the first goal: informing and guiding our...
  • MSRT February 2014 - Jenxcus

    ​We have been seeing a lot more VBScript malware in recent months, thanks in most part to VBS/Jenxcus . Jenxcus is a worm coded in VBScript that is capable of propagating via removable drives. Its payload opens a backdoor on an infected machine, allowing it to be controlled by a remote attacker. For the past few months we have seen the number of affected machines remain constantly high. For this reason we have included Jenxcus in the February release of the Microsoft Malicious Software Removal Tool...
  • A journey to CVE-2013-5330 exploit

    ​Recently, we've seen a few attacks in the wild targeting a patched Adobe Flash Player vulnerability ( CVE-2013-5330 ). This vulnerability was addressed with a patch released by Adobe on November 12, 2013. On the Windows platform, Flash Player version 11.9.900.117 and earlier, are vulnerable. We had a chance to analyze how the attacks work and noted some interesting details from our investigation. The malicious file has been distributed as a .swf file using obfuscator secureSWF, which has...
  • MSRT April 2014 – Ramdo

    This month we added Win32/Ramdo and Win32/Kilim to the Microsoft Malicious Software Removal Tool. In this blog, we will focus on Ramdo and some of what we have since found out about this relatively new trojan family. Ramdo, a click-fraud bot with built-in antisinkhole and antivirtualization code, was first found in the wild in December 2013. Telemetry Compared to other big families, Win32/Ramdo’s impact is relatively small in terms of the number of infected machines. However, when one...