Unhappy New Year

Malware authors don’t miss any major event in their attempts to spread malware. Evidently, they see the upcoming New Year as yet another opportunity to get their creations into unsuspecting users’ computers. We have already seen signs of malware misusing this happy event. In most cases, these are spammed emails that look like legitimate “Happy…


Targeted attacks against recently addressed Microsoft Office vulnerability (CVE-2010-3333/MS10-087)

Last November, Microsoft released security bulletin MS10-087, which addresses a number of critical vulnerabilities in how Microsoft Office parses various office file formats. One of them is CVE-2010-3333, “RTF Stack Buffer Overflow Vulnerability,” which could lead to remote code execution via specially crafted RTF data. A few days before Christmas, we received a new sample…


Phishing encounter while on vacation

It was my first night in Beijing for a long-overdue vacation. I purchased a SIM card from the airport and sent SMS greetings to friends and family and other families in town. SMS is hugely popular and a main communication channel in China. Guess what? The first SMS I received was from a strange number:…


MSRT December: If it quacks like a bot, it’s probably Qakbot.

This month, the MSRT team has added the Win32/Qakbot family of backdoors to its detections.  Qakbot is composed of several components, including a keylogger, a password stealer and a user-mode rootkit.  Qakbot is commonly distributed as the payload of what appear to be attacks, mainly targeted at enterprise installations.   Qakbot starts as a highly…


CVE-2010-3962 – The weekend warrior

The Microsoft Malware Protection Center has been tracking a recent 0-day vulnerability for Microsoft Internet Explorer very closely after it was found in the wild in early November, apparently being used in targeted attack attempts.  As public exploit code became available and attackers began integrating the code into their toolkits, we continued to closely monitor…


Looks familiar? Yes! From Alureon!

It’s a normal day to us. We receive a new Bamital virus sample report from a customer, and we provide an analysis. Suddenly, something interesting bursts into my eyes:   What’s your thought on this code fragment? At the first glance, this piece of code looks like a non-malicious call to manipulate the Windows Printer SubSystem….


FakeSysdef: We can defragment that for you wholesale! / Diary of a scamware

Initially it was “System Defragmenter”, then “Scan Disk” and now it’s called “Check Disk”. While the name will most certainly change again, the main goal of Trojan:Win32/FakeSysdef will surely remain the same: to trick you into buying a piece of software that does nothing except scare you with fake warnings, critical “errors” and other “problems”….


A Happy Thanksgiving from Rebhip?

A day before Thanksgiving, as I was doing my work, I came across a sample (SHA1:b9b52db22d35c50081054d4ece39f520ae3ef9fe) from a customer submission, with the usual “ecard.exe” filename. It has an image icon but with an .EXE extension; a clear sign of malicious intent. As I further investigated the sample, it displayed the following greeting:   Note: the…


Explore the CVE-2010-3654 matryoshka

We recently discovered a sample that is trying to exploit the 0-day Adobe vulnerability tracked by CVE-2010-3654. This sample is being distributed as a PDF file, and it has a lot of complicated steps before the final payload is executed. Analyzing this sample is like working your way through a matryoshka doll.   The analysis…


New Year, Same Old Rogues

New rogue security programs seem to be popping up all the time, but when we dig a little deeper what we see is mostly just new variants of the same old rogues. Five months ago, we wrote about a rogue we call Win32/Fakeinit that used the name “Security Essentials 2010”. We expected to see the…