Updated Microsoft Malicious Software Removal Tool (March, 2006)

Microsoft has updated their malware removal tool. This is a tool that runs at Windows Update time and can also be downloaded and run on-demand. It is not a continual defense, unlike most AV products. Updates for March, 2006, include:

Source: Malicious Software Removal Tool, updated March 14, 2006.

March 14, 2006 in Bagle, Blaster, defense, microsoft, sasser, tools, witty, Zotob | Permalink | Comments (1)

Updated Microsoft Malware Removal Tool (Jan, 2006)

It's Patch Tuesday, and that means that Microsoft has updated their Malware Removal Tool. Detection this month focuses on some of the more prolific but "beneath the radar" malware: The full list of families detected and removed by the Windows Malware Removal Tool is listed on the website. The team responsible for the product are also blogging their work.

January 10, 2006 in Bagle, Blaster, detection, IM worms, microsoft, sasser, SQLSlammer, tools, Zotob | Permalink | Comments (4)

VX reversing II, sasser B

The Sasser worm from May of 2004 provides an excellent example of modern malware in a reverse engineering setting. Eduardo Labir's article for the CodeBreakers Journal is a nice tutorial on how to really get into code, analyze it, and understand what is going on.

Tools you'll want to have handy: VMware, so that you don't trash your main machine (another throwaway machine may also be used, but a virtual system is most often a handy way to keep the number of physical machines down); OllyDbg, a (free) 32-bit debugger with plenty of nice features; and IDApro, one of the best disassembler tools I can find (it's commercial, and sometimes the HT editor can do in a pinch).

The well known worm Sasser has been one of the viruses which has received more attention in the press in the latest months. It's author, an 18 years old student from Germany, after causing lots of troubles to many home users and small enterprises faces up to several years of prison. Sasser is not a well programmed virus, it's success is entirely due to the exploit it implements, which was announced by Microsoft in one of their security bulletins. In this paper, we will reverse Sasser.B - the second of its variants - showing how it works and also how to clean your computer after infection.

Source: VX reversing II, sasser B, Eduardo Labir, in the CodeBreakers Journal. Eduardo also has a nice piece entitled VX reversing I, The Basics where you may want to begin if this is new to you.

January 2, 2006 in malware , papers, sasser, tools | Permalink | Comments (1)

The Sasser Event: History and Implications

Normally I'm reluctant to post a vendor white paper, mostly because they contain little technical information and are more marketing than substance. However, this is an exception to that trend. While the Sasser worm event is now well over a year and a half gone, the timeline itself is intriguing to study. Trend Micro has written up a nice, detailed overview of the event which may be interesting to Wormblog readers.

This White paper is not an exhaustive technical guide on how SASSER operates and how to deal with it. Rather, it presents the said malware family as an event that has a unique context. Hence, this study is primarily concerned with SASSER’s behavior in relation to other chronological events and other malware families.

Source: The Sasser Event: History and Implications [PDF], from Trend Micro.

November 26, 2005 in new trends, sasser | Permalink | Comments (0)

MS Malware Tool Updated (October, 2005)

Microsoft has updated the malware removal tool they wrote and maintain for October, 2005. The new malware entities they detect are: As always, this is just one tool in a Windows malware remediation toolkit. Also, it does not run in real-time, so it offers no ongoing protection. Instead, look at an AV solution for that. This only looks for the obvious signs of these malware families, but may not catch all future variants.

As always, make sure you get the latest version from Microsoft. The number of families they detect and clean up is always growing.

October 11, 2005 in Bagle, Blaster, defense, mass mailers, microsoft, sasser, witty, Zotob | Permalink | Comments (0)

Updated MS Malware Removal Tool (Sept. 2005)

Microsoft has updated their Malware Removal Tool for September, 2005. The new families of malware detected are:

If you're building an incident response kit, this is a worthwhile tool to have on hand. It's not a substitute for a full AV tool, but it's a fast "first pass".

If you've come to this page via a web search, make sure you download the latest update of the tool. Microsoft updates it every month.

September 14, 2005 in Bagle, Blaster, detection, microsoft, sasser, tools, witty, Zotob | Permalink | Comments (0)

Updated Microsoft Malware Removal Tool (August, 2005)

This past "patch Tuesday" Microsoft released an updated malware removal tool. This month adds:

You can view the tool's details online or run it from their website for your Windows system on the Microsoft Malware Removal Tool Homepage. As always, this tool is not a replacement for AV scanners and is only a relatively fast acting tool for some popular malware. Not all variants are caught.

August 15, 2005 in Bagle, Blaster, detection, microsoft, sasser, tools | Permalink | Comments (0)

DDoSVax Worm Traffic Analysis

The Swiss research group hosted under the banner of 'DDoSVAX' has been known for many years for doing good work. They have used some of their measurement infrastructure to analyze worm traffic, as well. Several worms are studied and presented on their website:

August 3, 2005 in Blaster, mass mailers, sasser, tools | Permalink | Comments (1)

Microsoft Malware Removal Tool Updates (July, 2005)

Microsoft has updated their Malware Removal Tool with new virus, worm and malware definitions for July, 2005. New this month are: This tool has a decent list of popular malware families that it detects and removes, however it's no substitute for a full blown AV tool. It only looks for the common signs of these malware families. The tool is available for download now.

July 13, 2005 in Bagle, Blaster, microsoft, sasser, tools | Permalink | Comments (0)

Microsoft to Pay Reward to Sasser Worm Informants

Following the conviction of Sven Jaschen for writing and releasing the Sasser worm, Microsoft is living up to it's promise of offering rewards for information leading to specific malware convictions.
Microsoft Corp. today announced that two individuals who helped identify the creator of the notorious Sasser worm in 2004 will share a reward of $250,000 (U.S.). The author of the worm, arrested in May 2004, was found guilty Friday by a court in Verden, Germany, and handed a sentence of one year and nine months on probation and 30 hours of community service.

...

“We’re pleased that the author of the Sasser worm has admitted responsibility for the damage he caused and is being held accountable,” said Nancy Anderson, vice president and deputy general counsel at Microsoft. “It has been important and gratifying to collaborate with and support law enforcement in this case, and we’re glad to provide a monetary reward to those individuals who provided credible information that helped the German police authorities solve this case.”

The reward will be paid from Microsoft’s anti-virus reward program, an initiative established by the company with Interpol, the Federal Bureau of Investigation and the United States Secret Service in November 2003 to provide an incentive for people to help identify those responsible for unleashing malicious viruses and worms on the Internet and deter cyber-criminals. The reward is paid to informants who are not involved in the criminal activity and provide credible information to law enforcement agencies that leads to an arrest and conviction.

Source: Microsoft to Pay Reward to Sasser Worm Informants, Microsoft Press Release, July 8, 2005.

July 10, 2005 in government, microsoft, sasser | Permalink | Comments (1)