Like it or not, in today’s world, online advertising plays a large and important role in supporting the web. Pay-per-click (PPC) advertising, born in 1998, created a system whereby advertisers only pay when potential customers click on an advertisement's link. This system allowed companies to target very specific market segments, better gauge sales campaign performance and to only pay for what was clicked. This helped drive demand for publishers. Publishers are those people with websites or...

In part 1 of this series , we talked about Dorkbot and its spreading mechanisms that required user interaction. In this post, we'll talk about how Dorkbot spreads automatically, via drive-by downloads and Autorun files. Spreading vectors not requiring user interaction: Drive-by downloads and Autorun files Dorkbot can also spread automatically, without user interaction. We recently encountered a malicious Java applet that exploits the vulnerability described in CVE-2012-4681 to distribute the...

This month one of the families introduced to MSRT is Win32/Phorpiex , a worm that spreads via removable drives and has IRC controlled backdoor functionality. In most respects Phorpiex is another worm, with typical command and control via IRC as well as spreading via removable drives. Like many other malware it usually does this by using Autorun, copying itself to the removable drive and writing an "autorun.inf" file to ensure execution on access, assuming the system is configured to allow autorun...

There is a new Java vulnerability now publicly disclosed, CVE-2012-5076 . Recently, we have seen more and more Java malware and malware distributors using new vulnerabilities quicker than ever before. Here’s a brief analysis of this newly disclosed Java vulnerability and related malware. Just like the recent CVE-2012-4681 , this vulnerability is about a package access issue. But this time, it’s not caused by vulnerable code that exposes restricted packages. The malware we’ve...

Malware nowadays benefits from the complexity of the Internet ecosystem to infect new computers through vectors such as browser plugins, social networks, and instant messaging programs. In this two-parter series, we'll look at Worm:Win32/Dorkbot, a prevalent worm with the capabilities of an IRC backdoor and a password stealer. Dorkbot relies both on social engineering attacks and on methods that don't require human intervention, such as infected removable drives and drive-by downloads. This versatility...

We use thumb drives in different ways – usually to transfer files from one computer to another. When we create folders in thumb drives, we have a certain level of confidence that the folder isn't malicious or doesn't contain malware. Unfortunately, this assumption is not always true. For the month of November, we added the Folstart family to the Microsoft Malicious Software Removal Tool (MSRT) . Folstart is a family of worms that copies itself using the same names as folders in your USB...

We recently came across what appeared to be a new sample, but was actually part of malware discovered in 2010. This new-old sample is built from publicly available source code and, like many of its kind, is frequently rebranded. Because of all the changes that malware authors have made, we have detection for each customized iteration. One such iteration (SHA1 8d81462089f9d1b4ec4c7423710cf545be2708e7) is commonly deployed under private obfuscators (such as H1N1 or Umbra). We detect this threat as...

One of my pet peeves working in computer security has always been the use of emotive language. I have always felt that using highly emotive terms to discuss malware greatly adds to the already-considerable FUD (fear, uncertainty and doubt) that surrounds a lot of malware information. The FUD, in turn, leads users to think that this is a problem that is too big for them – too daunting, too scary – when that simply isn’t true. Malware are computer programs just like other computer...

As mentioned in our previous post , Microsoft's study [ PDF ] behind Operation b70 found that PC consumers might be at risk of malware infection even with brand new computers, if the computers come pre-installed with counterfeit versions of Windows software. This is what happened to some consumers in China who purchased their computers from an untrusted supply chain. A staggering 4 out of 20 machines were found to be infected with malware, and one of those infectors was Nitol. MMPC's infection...

Of the many weapons and tricks in an attacker’s arsenal, none is more dangerous or insidious than the ability to hide and continuously compromise a system from within. This is the role of a rootkit. Malware uses rootkits, or rootkit functionality, in order to hide their presence on an affected computer and thus impede their removal. Once compromised by a rootkit, any information returned by an affected system can no longer be trusted and must be regarded as suspect (which is exactly how they...