Last week, I was checking my Facebook account and noticed I had an Event Invitation from a fellow security researcher. Very intriguing. This friend is a world traveler and doesn’t currently reside in the United States, but the Event Invitation was for a Free $1000 "Best Buy gift card to celebrate Best Buy’s 20th Anniversary". Alarm bells started ringing and I knew it had to be a scam. But let’s take a look... There was no reason I could think of why they would use a bit...

Win32/FakeSecSen was added to MSRT November release as Hamish mentioned in his MMPC blog . We’ve since observed MSRT removing FakeSecSen from 994,061 distinct machines. Breakdown of these removals by regions is shown as below. Region/Country Distinct Machines Cleaned United States 548,218 United Kingdom 74,343 France 47,581 Germany 43,347 Netherlands 28,724 Spain 23,027 Italy...

Hello again from Melbourne! We've seen another resurgence of Worm:Win32/Conficker , this time as Worm:Win32/Conficker.B . We've already received a number of reports of this new variant from the wild from affected users. Not surprisingly, a majority of the new infections we’re seeing are on machines that are yet to install the MS08-067 update (see our previous posts ' More MS08-067 Exploits ' and ' A Quick Update About MS08-067 Exploits '). This new variant also spreads via network shares by...

The Win32/Alureon family of malware is a complex set of components which perform various functions. These include the modification of DNS settings, search hijacking, and click fraud. Alureon has existed for several years and has undergone a number of evolutionary changes. The ability to “infect” the miniport driver associated with the hard disk of the operating system is a recent notable change. This functionality first appeared around August 2009. For the most common system configuration (for machines...

About a month ago, we blogged about an Adobe Flash Player vulnerability ( CVE-2011-0609 ) that was actively exploited in the wild. That exploit was hidden inside a Microsoft Excel document. Over the weekend, a new Adobe Flash Player 0-day ( CVE-2011-0611 ) was reported by Adobe in a recent advisory ( APSA11-02 ). It all started with spam emails enticing users to open its attachment, typically a Microsoft Word document (or a zip file of a Microsoft Word document), which contained the malicious...

We've seen a few rogue security programs use elements of legitimate security software in order to try to make themselves appear more authentic. It was inevitable that Microsoft Security Essentials would be the target of this kind mimicry. While some rogues have simply copied Security Essentials' name , others have gone further by imitating elements of the Security Essentials user interface. By far the most prevalent of these is Win32/FakePAV , which is this month's addition to the MSRT family list...

Following up on the blog post that our friends in the Microsoft Security Response Center posted a few weeks ago, we wanted to share the results from the April edition of MSRT. As part of our ongoing updates to families already in MSRT, we have added support for more variants of the Win32/Alureon rootkit/infector, including the ones responsible for the issues widely reported with Microsoft Security Bulletin MS10-015 . Below is a summary of the Alureon cleaning using MSRT in April: Variant...

This month we added a family of rootkit-enabled trojans to MSRT - Win32/Rustock Win32/Rustock is a multi-component family of rootkit-enabled backdoor trojans, which were historically developed to aid in the distribution of 'spam' e-mail. First discovered sometime in early 2006, Rustock has evolved to become a prevalent and pervasive threat. Recently we've seen it associated with the incidence of rogue security programs. This might indicate that the Rustock family of trojans has gained some traction...

In a recent blog posted on 18th November we talked about the significant threat that AV rogues had posed for our users this year. Besides the prevalent rogues covered by the MSRT, the following is a longer list of AV rogues detected by Microsoft AV products such as Microsoft Security Essentials , Forefront Client Security, etc. FakeXPA FakePowav MalwareBurn UnSpyPc DriveCleaner DocrorTrojan Winfixer FakeScanti Cleanator MalwareCrush...

On March 9, Microsoft started investigating reports of targeted attacks using a previously undisclosed vulnerability (CVE-2010-0806) affecting Internet Explorer 6 and 7 (Internet Explorer 8, Windows 7, and Windows Server 2008 R2 are not susceptible). As a member of the Microsoft Active Protections Program (MAPP), the MMPC and other members received information about the vulnerability and immediately deployed protection for our customers. We’ve been tracking exploit attempts against this vulnerability...