Fake apps: Behind the effective social strategy of fraudulent paid-archives

In my previous blog “Fake apps and the lure of alternative sources,” I discussed a fraudulent scheme that takes advantage of known, legitimate and free applications. Unlike rogues and ransomware which use threats and force to influence their victims, the social engineering techniques employed by a fake installer are less aggressive yet, interestingly, more deceptive….


Update signature definitions to resolve performance issues in definitions starting with 1.141.2400.0

Some users of Microsoft antimalware products have reported a performance issue with signature definition versions starting with 1.141.2400.0 (12/21/2012 1920 UTC). The current definition files, since 1.141.2639.0 (12/27/2012 0625 UTC), resolve this issue. If you have a signature set in the affected range, please update to the current definition files. Shannon SabensMMPC


Korean gaming malware – served 3 ways

Recently, we’ve seen similar activities being performed by different malware that monitor online Korean applications. Mostly, the applications they monitor are card games, such as those in Figure 1. Figure 1: Examples of online Korean games that are being monitored. (Source: http://www.hangame.com)   The following applications are monitored if found running on the system: LASPOKER.EXE…


MSRT December ’12 – Phdet

Phdet is the family which has been added to the December 2012 release of the Malicious Software Removal Tool. Phdet is a family of backdoor trojans that have the ability to perform distributed denial of service (DDoS) attacks. The bot can be found online, going by the formal name of “Black Energy”.  The DDoS bot has…


Unexpected reboot: Necurs

Necurs is a prevalent threat in the wild at the moment – variants of Necurs were reported on 83,427 unique machines during the month of November 2012. Necurs is mostly distributed by drive-by download. This means that you might be silently infected by Necurs when you visit websites that have been compromised by exploit kits such as Blackhole. So…


The "hidden" backdoor – VirTool:WinNT/Exforel.A

Recently we discovered an advanced backdoor sample – VirTool:WinNT/Exforel.A. Unlike traditional backdoor samples, this backdoor is implemented at the NDIS (Network Driver Interface Specification) level. VirTool:WinNT/Exforel.A implements a simple private TCP/IP stack and hooks NDIS_OPEN_BLOCK for the TCP/IP protocol, as shown in Figure 1.    Figure 1: Hooked functions in NDIS_OPEN_BLOCK   This means that backdoor-related TCP traffic will be diverted to the…


MSRT November ’12 – Weelsof around the world

Win32/Weelsof is part of a large malware family called ransomware, which is different from your traditional trojans and worms. Ransomware’s main goal is to financially benefit from every infected user and force them to pay. We included Win32/Weelsof in our November release of the Malicious Software Removal Tool. Malware entry point The user can be…


Another way Microsoft is disrupting the malware ecosystem

Like it or not, in today’s world, online advertising plays a large and important role in supporting the web. Pay-per-click (PPC) advertising, born in 1998, created a system whereby advertisers only pay when potential customers click on an advertisement’s link. This system allowed companies to target very specific market segments, better gauge sales campaign performance…


An analysis of Dorkbot’s infection vectors (part 2)

In part 1 of this series, we talked about Dorkbot and its spreading mechanisms that required user interaction. In this post, we’ll talk about how Dorkbot spreads automatically, via drive-by downloads and Autorun files. Spreading vectors not requiring user interaction: Drive-by downloads and Autorun files Dorkbot can also spread automatically, without user interaction. We recently…


Smoke and mirrors and Win32/Phorpiex

This month one of the families introduced to MSRT is Win32/Phorpiex, a worm that spreads via removable drives and has IRC controlled backdoor functionality. In most respects Phorpiex is another worm, with typical command and control via IRC as well as spreading via removable drives. Like many other malware it usually does this by using…