Microsoft Malware Protection Center

Threat Research & Response Blog

  • Microsoft Malware Protection Center

    Reversal of fortune: Sirefef’s registry illusion

    • 3 Comments
    I have mentioned in a previous blog that the use of the right-to-left-override (U+202E) unicode character is nothing new. This blog also went on to show the various file name tricks used by malware. But now we see something different: the use of this trick by variants of the Sirefef family of malware. The variants use the right-to-left-override character in the registry in order to hide its presence by mimicking a setting instantiated by a Google Chrome installation. When a user installs an...
  • Microsoft Malware Protection Center

    The original AppCompat (solving a 20-year-old mystery for me)

    • 0 Comments
    DOS v5.0, released in 1991, introduced the concept of DOS loading "high". That is, into the high memory area - that special 64kb area at the top of the first megabyte of memory. As a result of this change, programs now loaded to a much lower address in memory than they did before. This change also exposed a previously unknown bug that exists in the code produced by certain versions of the Exepack utility, or Link* with the "/EXEPACK" option. The bug caused memory corruption, which usually resulted...
  • Microsoft Malware Protection Center

    The evolution of Rovnix: Private TCP/IP stacks

    • 8 Comments
    We recently discovered a new breed of the bootkit Rovnix that introduces a private TCP/IP stack. It seems this is becoming a new trend for this type of malware. The implementation of the private stack is based on an open-source TCP/IP project and it can be accessed from both kernel and user modes. It works like this: At boot time, Rovnix hooks the following exported APIs in ndis.sys by patching the export table in memory: NdisMRegisterMiniportDriver() (for NDIS 6.0) NdisMRegisterMiniport...
  • Microsoft Malware Protection Center

    A fresh face for the Microsoft Malware Protection Center

    • 5 Comments
    Today we launched our new Microsoft Malware Protection Center website . Throughout the redesign process we have been listening to your feedback. You asked for an easier way to find our security software and updates; you can now get to all of our product downloads straight from our homepage. While you’re on the homepage you’ll also see links to our help archive , blogs , and trending security topics from the Microsoft Community forums . One of our top priorities is to make it...
  • Microsoft Malware Protection Center

    Viewing Vobfus infections from above

    • 2 Comments
    Win32/Vobfus is a family of worms that spreads via removable drives and downloads other malware, and a family that is causing people a lot of pain lately. Vobfus was initially discovered in September 2009 and became prevalent with its use of the MS10-046 .LNK vulnerability . The .LNK vulnerability has also been used by Chymine , Sality , and Zbot , though it is no longer used by Vobfus. The name Vobfus comes from the characteristics that these worms are V isual Basic and obfus cated. Vobfus is...
  • Microsoft Malware Protection Center

    Another year, another rogue. Not what the doctor ordered

    • 0 Comments
    Another new year is almost upon us. Or at least that's what the distributors of Rogue:Win32/Winwebsec would have us believe - releasing a new branding System Doctor 2014 just prior to the middle of 2013. Figure 1: System Doctor 2014 user interface For some time, Winwebsec has had only one branding active at a time. While there have been a number of name changes, the interface and behavior have otherwise remained mostly unchanged. System Doctor 2014 represents a departure from this, with...
  • Microsoft Malware Protection Center

    Investigation of a new undocumented instruction trick

    • 0 Comments
    While investigating some new malware samples this week, we came across a few interesting files that use a new trick with an undocumented instruction. We had to do a bit of digging around the Intel instructions list to solve this little mystery. While it turned out that the trick itself isn't effective in complicating debugging and disassembly, we think it's worth sharing anyway, as we're now seeing three different malware variants using it. One of the samples flagged by our systems (SHA1:3d85cc93115c1ebfdeba17b54d6570e06c1bb2f5...
  • Microsoft Malware Protection Center

    Ad injection and you - how adware gets on your computer

    Are advertisements showing up in your browser (no matter whether you use Internet Explorer, Firefox or Chrome) on sites that you've never seen ads on before; or, do the ads seem different from what you've seen before? Your system might be affected by adware that injects advertisements into sites as you browse, such as Adware:Win32/InfoAtoms and Adware:Win32/Addlyrics . One of the biggest questions we get about these programs (besides how to get rid of them), is how did it get installed in the...
  • Microsoft Malware Protection Center

    Rise of the social bots

    Malware authors and distributors follow the money. When you consider the growing popularity of social networking websites, it should come as no surprise that malware continues to maintain its presence in this area. Every year we are spending a growing proportion of our time online using social media like Facebook, Twitter and YouTube. What does this mean for the malware ecosystem? Malware authors and distributors know that social networks don’t just connect people, they also instill a...
  • Microsoft Malware Protection Center

    Microsoft’s proactive fight against cybercrime

    The Microsoft Malware Protection Center (MMPC) is committed to protecting our customers from malicious software and disrupting the malware ecosystem. To achieve these goals, we forge partnerships with internal and external teams. One such team, Microsoft Digital Crimes Unit (DCU), has expanded their partnerships to include the National Institute of Communication Technologies (INTECO) of Spain. This organization is one of the first to utilize live botnet data feeds from the new Azure-based Cyber...
Page 1 of 45 (450 items) 12345»