Win32/FakeSecSen – A Nasty Piece of Work

I hate rogues. I don’t mean the World of Warcraft character class; I’m talking about rogue security software. In case you haven’t heard the term before, this is software that tells you that your system is crawling with bad stuff (for free!) and then offers to remove it for you (that’ll cost you). Of course…

0

SWF for Malware Deployment

More and more each day I see SWF files being sent to us as a potential part of a malware deployment chain. Most of the times it is not the case, but because of these special cases where the submitter was actually right, I decided to write this entry. I’ve been spending part of today…

0

Malware and Signed Code

Microsoft Authenticode® is a technology that can help ensure the source of code.  It does not ensure that code is safe to run, but it can ensure that the code is associated with an entity in a trust chain. Since you should base your trust decision about code on whether you trust the source or…

0

Microsoft Security Intelligence Report Volume 5 is Now Available

One of our goals here at the Microsoft Malware Protection Center (MMPC) is to share the valuable data, insights and expertise we have with customers on a regular basis in an effort to help customers better understand the changes occurring in the threat landscape and improve their defenses accordingly.  We just released the fifth volume…

0

Win32/Rustock Hide and Seek – MSRT Telemetry

In his 10/18 blog post, Oleg provided great insights about the distribution, installation and payload of Win32/Rustock which was added to MSRT 10/14 release. As of 10/29 MSRT has removed this rootkit from 99,418 distinct machines. Breakdown of these removals by regions is shown as below. Country/Region distinct machined cleaned United States 41,305 France 6,295 Spain…

0

Get Protected, Now!

Microsoft released a security update today that fixes a vulnerability that affects all supported versions of Windows. On some versions of Windows, an unauthenticated attacker can remotely execute code on a vulnerable computer. Basically if file sharing is enabled and the security update is not installed yet, the computer is vulnerable. File sharing is enabled…

0

Trojan Writers Drive BMW

Why is malware that targets online games so prevalent these days? Why is there an interesting saying in China: “Trojan writers drive BMW” (“写木马, 开宝马”)?  The writers and distributors of trojans that steal passwords and account details from popular online games have been making huge profits. Why and how can they make huge profits from…

0

Uprooting Win32/Rustock

This month we added a family of rootkit-enabled trojans to MSRT – Win32/Rustock Win32/Rustock is a multi-component family of rootkit-enabled backdoor trojans, which were historically developed to aid in the distribution of ‘spam’ e-mail. First discovered sometime in early 2006, Rustock has evolved to become a prevalent and pervasive threat. Recently we’ve seen it associated with the…

0

SQL Injection – New Approach for Win32/FakeXPA?

(often known as “Antivirus 2009”). One night while browsing, a message box popped up asking me to do a “security scan”. As a researcher, I wouldn’t let this pass me by. After going through my opened tabs I narrowed down the culprit to a forum I had open at the time. “View Source” showed a…

0

Email Scam Targets Microsoft Customers

Email scams are a common way to spread malware and/or steal personal information. Some great guidelines to help you protect yourself from such scams are outlined here: http://www.microsoft.com/protect/computer/viruses/email.mspx  We have recently found out about the latest in an ongoing string of email scams that target Microsoft customers. This particular scam contains the Backdoor:Win32/Haxdoor trojan as…

1