Microsoft Malware Protection Center

Threat Research & Response Blog

  • Microsoft Malware Protection Center

    The evolution of Rovnix: Private TCP/IP stacks

    • 8 Comments
    We recently discovered a new breed of the bootkit Rovnix that introduces a private TCP/IP stack. It seems this is becoming a new trend for this type of malware. The implementation of the private stack is based on an open-source TCP/IP project and it can be accessed from both kernel and user modes. It works like this: At boot time, Rovnix hooks the following exported APIs in ndis.sys by patching the export table in memory: NdisMRegisterMiniportDriver() (for NDIS 6.0) NdisMRegisterMiniport...
  • Microsoft Malware Protection Center

    A fresh face for the Microsoft Malware Protection Center

    • 5 Comments
    Today we launched our new Microsoft Malware Protection Center website . Throughout the redesign process we have been listening to your feedback. You asked for an easier way to find our security software and updates; you can now get to all of our product downloads straight from our homepage. While you’re on the homepage you’ll also see links to our help archive , blogs , and trending security topics from the Microsoft Community forums . One of our top priorities is to make it...
  • Microsoft Malware Protection Center

    Viewing Vobfus infections from above

    • 1 Comments
    Win32/Vobfus is a family of worms that spreads via removable drives and downloads other malware, and a family that is causing people a lot of pain lately. Vobfus was initially discovered in September 2009 and became prevalent with its use of the MS10-046 .LNK vulnerability . The .LNK vulnerability has also been used by Chymine , Sality , and Zbot , though it is no longer used by Vobfus. The name Vobfus comes from the characteristics that these worms are V isual Basic and obfus cated. Vobfus is...
  • Microsoft Malware Protection Center

    Another year, another rogue. Not what the doctor ordered

    • 0 Comments
    Another new year is almost upon us. Or at least that's what the distributors of Rogue:Win32/Winwebsec would have us believe - releasing a new branding System Doctor 2014 just prior to the middle of 2013. Figure 1: System Doctor 2014 user interface For some time, Winwebsec has had only one branding active at a time. While there have been a number of name changes, the interface and behavior have otherwise remained mostly unchanged. System Doctor 2014 represents a departure from this, with...
  • Microsoft Malware Protection Center

    Investigation of a new undocumented instruction trick

    • 0 Comments
    While investigating some new malware samples this week, we came across a few interesting files that use a new trick with an undocumented instruction. We had to do a bit of digging around the Intel instructions list to solve this little mystery. While it turned out that the trick itself isn't effective in complicating debugging and disassembly, we think it's worth sharing anyway, as we're now seeing three different malware variants using it. One of the samples flagged by our systems (SHA1:3d85cc93115c1ebfdeba17b54d6570e06c1bb2f5...
  • Microsoft Malware Protection Center

    Ad injection and you - how adware gets on your computer

    Are advertisements showing up in your browser (no matter whether you use Internet Explorer, Firefox or Chrome) on sites that you've never seen ads on before; or, do the ads seem different from what you've seen before? Your system might be affected by adware that injects advertisements into sites as you browse, such as Adware:Win32/InfoAtoms and Adware:Win32/Addlyrics . One of the biggest questions we get about these programs (besides how to get rid of them), is how did it get installed in the...
  • Microsoft Malware Protection Center

    Rise of the social bots

    Malware authors and distributors follow the money. When you consider the growing popularity of social networking websites, it should come as no surprise that malware continues to maintain its presence in this area. Every year we are spending a growing proportion of our time online using social media like Facebook, Twitter and YouTube. What does this mean for the malware ecosystem? Malware authors and distributors know that social networks don’t just connect people, they also instill a...
  • Microsoft Malware Protection Center

    Microsoft’s proactive fight against cybercrime

    The Microsoft Malware Protection Center (MMPC) is committed to protecting our customers from malicious software and disrupting the malware ecosystem. To achieve these goals, we forge partnerships with internal and external teams. One such team, Microsoft Digital Crimes Unit (DCU), has expanded their partnerships to include the National Institute of Communication Technologies (INTECO) of Spain. This organization is one of the first to utilize live botnet data feeds from the new Azure-based Cyber...
  • Microsoft Malware Protection Center

    How easily USteal my passwords

    Bundling malware and legitimate software on unofficial download websites is an effective way of tricking users into running malicious files. We often see keygens, hacktools and game trainers bundled with trojans and posted on forums or as comments under videos. I recently analyzed a file that claimed to be a game tool used for customizing Dota2, a multiplayer online battle arena video game developed by Valve Corporation. The tool was made by a third party and offered for free download online....
  • Microsoft Malware Protection Center

    The Wonder of Sirefef Plunder

    Sirefef , also known as ZeroAccess, is a malware platform for receiving and running malware modules. Two prominent modules generate revenue for the cyber criminals, by mining for bitcoins and perpetrating click-fraud. Click-fraud is the deliberate misappropriation of ad revenue by generating online clicks that don’t originate from a potential customer or the rightful publisher. Click-fraud is lucrative and a relatively easy way for cyber criminals to monetize their malware and/or launder...
Page 1 of 45 (448 items) 12345»