Some shellcode de-mystified

The shellcode described in this post was obtained from the Eleonore v1.2 exploit kit. High-level details about that kit are mentioned in my April 2012 blog post. This post is a technical view of the actual shellcode and is intended to be instructive to the inquisitive reader. Since this code is relatively old, the main…

0

January ’12 MSRT: Win32/Sefnit

The January 2012 edition of the Microsoft Malicious Software Removal Tool (MSRT) includes detection and removal of the Win32/Sefnit family of trojans. This trojan family moderates and redirects web browser search engine results for Bing, Yahoo! and Google. The earliest reported variant in this family can be traced back to August 2010. The installation mechanism…

0

MSRT November ’11: Carberp

We included three threat families in the November edition of the Microsoft Malicious Software Removal Tool – Win32/Carberp, Win32/Cridex and Win32/Dofoil. In this post, we discuss Win32/Carberp. The first variant of Win32/Carberp was discovered early last year. This malware has evolved from a trojan downloader that downloads an additional password stealer, such as PWS:Win32/Ldpinch, to…

0

Update on the Zbot spot!

Hello Internet! I’m back to update you on our changes to Zbot in the Malicious Software Removal Tool (MSRT). We reviewed the data coming back from MSRT in September and incorporated the findings into October’s MSRT (and beyond), which means we are now in a position to provide additional information. As I mentioned in the…

0

There’s more than one way to skin an orange…

​When it comes to attacking a system, and compromising its data and/or resources, there are several different methods that an attacker can choose. One of the more effective ways to make a successful compromise is to take advantage of perceived vulnerabilities in the targeted system. A vulnerability refers to a characteristic of a system that…

0

Mobile threats on the desktop

The MMPC has been routinely monitoring threats (via the desktop) that affect different mobile platforms such as Symbian, Java ME, Android, RIM, iOS and Windows Mobile. One of the increasingly common ways we see mobile devices being compromised is by allowing the user to download and install applications independently. This is because the consumer cannot…

0

SIRv11: Putting Vulnerability Exploitation into Context

As Vinny Gullotto, our GM blogged earlier in the week, the 11th edition of the Security Intelligence Report (SIRv11) has been released. One of the new areas of research in this release is a study of the most prevalent kinds of vulnerability exploitation and how much of that exploitation is 0-day (short for zero-day, an…

0

MSRT October ’11: EyeStye

This month, the Malicious Software Removal Tool (MSRT) targets two families: Win32/EyeStye and Win32/Poison. EyeStye (aka ‘SpyEye’) is a family of trojans that steals information, targeting authentication data used for online banking such as passwords and digital certificates. The method it employs is called “form grabbing” which involves the interception of webform data submitted to…

0

Bamm Bamm, Rubble.

The family selected for addition to MSRT this month is Win32/Bamital. Win32/Bamital was first discovered in September 2009 and was able to intercept and modify queries performed by search engines such as AltaVista, Bing, Google and Yahoo. Win32/Bamital has evolved over a number of generations, employing a varying range of system modifications to ensure that…

0

July MSRT on web redirector malware

​This month, we added Win32/Tracur and Win32/Dursg, two of the most prevalent pieces of malware belonging to the category of ‘web redirectors’, to our Malicious Software Removal Tool (MSRT). After just over two weeks in release, we have early numbers on our success in detecting and removing these twinned threats. In terms of functionality, Win32/Tracur…

0