Using Current Data from SRI’s Malware Threat Center for Firewall and IDS / IPS rulesets

The SRI International Nonprofit Research Institute has a few lists that I like to review on a regular basis. 

I use this data to tweak firewall and IDS/IPS rulesets, especially with Snort systems.  On a semi-related note, another great resource for Snort rules is Emerging Threats.

mrt.exe reports back to Microsoft

Microsoft’s Malicious Software Removal Tool (MRT) helps remove malware infections of specific, prevalent malicious software—including Blaster, Sasser, and Mydoom.

If your machine run Windows 2000, XP, Vista, or Windows Server 2003 and you have Automatic Updates enabled on your computer, MRT is automatically updated on the second Tuesday of each month. After MRT runs, it logs it’s findings to the %windir%\debug directory, which is typically c:\Windows\Debug.

Buried in the fine print on the Microsoft web site is the following sentence:

“Also, please be aware that this tool reports anonymous information back to Microsoft in the event that an infection is found or an error is encountered.”

What information is sent to Microsoft? Here is the current list:

• The name of the malicious software that is detected
• The result of malicious software removal
• The operating system version
• The operating system locale
• The processor architecture
• The version number of the tool
• An indicator that notes whether the tool is being run from Microsoft Update, from Windows Update, from Automatic Updates, from the Download Center, or from the Web site.
• An anonymous GUID
• A cryptographic one-way hash (MD5) of the path and file name of each malicious software file that is removed from the computer

If apparently malicious software is found on the computer, the tool prompts you to send information to Microsoft beyond what is listed above. You are prompted in each of these instances, and this information is sent only with your consent. The additional information includes the following:

• The files that are suspected to be malicious software. The tool will identify the files for you.
• A cryptographic one-way hash (MD5) of any suspicious files that are detected.
No other information is sent to Microsoft.

I’m not sure how others feel, but I don’t like any of my information being sent to Microsoft, whether it be anonymous or not. For example, lets say my machine has an infected copy of wgaremover.exe. I can’t believe that Microsoft doesn’t have ways of connecting this program, which allows you to bypass Windows Genuine Advantage, back to my IP address.

Luckily, KB 891796 describes how to disable this reporting component that sends the results of your scan to Microsoft, along with the information regarding the infected files. You can perform the following registry changes to disable the reporting:

add DontReportInfectionInformation with type REG_DWORD and value data: 1

Logging is automatically disabled if the following registry key value exists:


This registry key value indicates that the computer is connected to an SUS server. You can download an updated version of the Malicious Software Removal Tool here, or the 64-bit version here. Note that KB 890830 states:

“The first time that you download and run the tool by using Automatic Updates, Microsoft Update, or Windows Update, you must be logged on to the computer by using an account that is a member of the Administrators group. After you accept the one-time license terms, you can receive future versions of the tool without being logged on to the computer as an administrator.”

If you are experiencing problems with MRT, consult KB 891717 for troubleshooting guidance.

Bhutto Assassination video codec malware from Blogger in my content filter logs

This morning I’ve taken some time to scan my content filter logs from the past two weeks.  Normally I look through them every few days, but I’ve been on a well deserved extended vacation.

It seems that some network users have been searching for video of the Benazir Bhutto assassination.  There have been quite a few recent reports of malicious Blogger sites that advertise the video, but when users try to view it, they are told they do not have a required codec installed.  They are prompted to download the codec, which results in a Zlob trojan downloading and installing to their system – see the McAfee blog for details and images.

CastleCops, Sunbelt Blog, and SANS Internet Storm Center have examples of an infected site.

My content filter logs show four or five users successfully downloading the offensive codec.  I’m hoping that our desktop anti-virus software and group policy stopped the malware installation, but I’m not holding my breath.  I wrote a script that’s scanning all machines for the fake codec, but I’ll probably have to wait until school resumes on Monday, January 8th to scan the entire network.  Only a very few users are woring this week, so hopefully that will help contain the infestation.

If I do find Zlob installations, I plan on using the SmitFraudFix removal tool and the free removal tool I found on ParasiteDB.  You can read all about SmitFraudFix and Zlob at the S!Ru.URZ blog.