Last November, Microsoft released security bulletin MS10-087 , which addresses a number of critical vulnerabilities in how Microsoft Office parses various office file formats. One of them is CVE-2010-3333 , "RTF Stack Buffer Overflow Vulnerability," which could lead to remote code execution via specially crafted RTF data. A few days before Christmas, we received a new sample (sha1: cc47a73118c51b0d32fd88d48863afb1af7b2578) that reliably exploits this vulnerability and is able to execute malicious...

In 1999, a new virus, Win32/Crypto, was discovered. It was using brute-force attacks against its encryption key to decrypt its body. Today, in 2011, variants of Win32/Alureon are bringing this old-school technique back to life, with some extra naughtiness, as you will see below. While working recently on different Win32/Alureon samples, we noticed some behaviour that deviated from what we’ve seen before. A particular set of files was taking longer to exhibit malicious behaviour than others...

This month, MSRT takes on another prevalent rogue family. This one is called Win32/InternetAntivirus and, although it has dabbled with the names General Antivirus and Personal Antivirus* , it is usually easy to recognise by the moniker Internet Antivirus Pro . Win32/InternetAntivirus follows the familiar path of fake online scanner leading to the rogue downloader, which in turn installs the rogue itself. The online scanner looks like this: This rogue downloader that these pages want you to run also...

The MSRC released a security advisory yesterday about a vulnerability in Internet Explorer. Just like our colleagues at the MSRC , we're tracking the situation very closely as we've observed the vulnerability exploited in the wild, however within a relatively limited context. Virtually all the malicious sites we've seen taking advantage of the vulnerability thus far are hosted on a variety of Chinese domains. According to the investigation thus far, the vulnerability affects Windows Internet Explorer...

Email scams are a common way to spread malware and/or steal personal information. Some great guidelines to help you protect yourself from such scams are outlined here: http://www.microsoft.com/protect/computer/viruses/email.mspx We have recently found out about the latest in an ongoing string of email scams that target Microsoft customers. This particular scam contains the Backdoor:Win32/Haxdoor trojan as an attachment. We have seen a few emails targeting Microsoft customers that look like the...

Recently, we've seen a few attacks in the wild targeting a patched Adobe Flash Player vulnerability. The vulnerability related to this malware was addressed with a recent patch released by Adobe on May 4th. On the Windows platform, Flash Player 11.2.202.233 and earlier is vulnerable. If you're using vulnerable version, you need to update your Flash Player now to be protected against these attacks. We had a chance to analyze how the malware (sha1: e32d0545f85ef13ca0d8e24b76a447558614716c) works and...

Worm:Win32/Visal.B is a new worm, written in Visual Basic, that is currently propagating in part using social-engineering. We strongly encourage customers to be cautious about clicking suspicious or even simply unexpected links in email, even if it’s sent by someone you know. Getting infected by Visal.B is an example of what happens if you aren’t careful. The threat has a timestamp of 9/3/2010 and spreads using two techniques: mass emailing, and copying itself to local drives (C: and...

It’s been a busy year for Microsoft Security Essentials . As we observed right after the first week of release, Microsoft Security Essentials had already detected threats on over half a million computers. As Microsoft Security Essentials enters into its second year with over 31 million installations, 27 million of those computers have reported infections to the Microsoft Malware Protection Center (MMPC). As indicated by the chart below, the country with the most installations is the United...

As we’ve mentioned before, your average user is the most at risk of getting infected these days. So, with the release of Microsoft Security Essentials recently en masse, we’re really able to see some of the fruits of our labour over the last few years. We’re very pleased to see such a positive response to MSE, with many new home users giving it a try, which as you can imagine, makes us all happy little Vegemites *. As you might expect, we see pretty different infection types from home-users versus...

Today we are going to take a closer look at bots and botnets. On the black market, selling bots and botnets is quite profitable, which makes creating them a popular activity for criminals. It helps that bot sources and creation kits are available on the Internet, allowing even script kiddies to create their own botnets. Another reason bots get created is that some people who get bored in their daily lives tend to do things that in their opinion might earn them respect or admiration in front of their...