June 14, 2021

Microsoft Malware Protection Engine can be disabled via a specially crafted file

microsoft logo(LiveHacking.Com) – Microsoft has released a security advisory about a denial of service vulnerability with its Malware Protection Engine. According to Microsoft, if the Malware Protection Engine scans a specially crafted file then it can cause a denial of service condition. This means that an attacker who manages to exploit the vulnerability could stop the Microsoft Malware Protection Engine from monitoring the filesystem, until the specially crafted file is manually deleted and the service is restarted. During this time the PC is susceptible to infection by other malware.

To exploit the vulnerability an attacker would need to place a specially crafted file on the target PC. This could be achieved in one of several different ways including via a website, via email message, or in an Instant Messenger message. If the affected anti-malware software has real-time protection turned on (which is the default), then the Microsoft Malware Protection Engine will scan the file automatically, leading to exploitation of the vulnerability.

The Malware Protection Engine is used by a variety of Microsoft products including Windows Security Essentials and Windows Defender. Microsoft has rated the vulnerability as “Important,” but not “Critical.”

Microsoft has fixed the vulnerability and the engine will be updated automatically when your PC next updates its malware definitions. Because the fix is part of the “normal” malware updates then Microsoft won’t be issuing a Security Bulletin about the problem, nor will it feature in a future Patch Tuesday. Microsoft estimates that the built-in update mechanisms will apply the fix within 48 hours of the release, however the exact time frame depends on the software used, Internet connection, and infrastructure configuration.

Microsoft Release Data on Most Prevalent Viruses in May

Microsoft has published details of the most prevalent viruses detected by the Microsoft Removal Tool (MSRT) during May. Seven of the top 25 viruses listed are parasitic viruses, meaning an ‘old school’ malware that attaches, modifies or resides in a host file on the file system.

Top 25 detections by MSRT, May 10 – May 20

Family Machine Count Note
Sality 202,351 Classic parasitic virus
Taterf 77,236 Worm
Rimecud 65,149 Worm
Vobfus 59,918 Worm
Alureon 58,884 Evolved parasitic virus
Parite 53,778 Evolved parasitic virus
Ramnit 52,549 Evolved parasitic virus
Brontok 50,392 Worm
Cycbot 50,209 Trojan
Conficker 49,173 Worm
Renocide 48,395 Worm
Bubnix 45,712 Trojan
FakeRean 40,695 Rogue
Zbot 40,087 Trojan
Bancos 39,452 Trojan
Frethog 33,100 Evolved parasitic virus
Banker 31,675 Trojan
Jeefo 22,396 Classic parasitic virus
Renos 21,858 Trojan
Lethic 21,521 Trojan
Cutwail 21,222 Trojan
Virut 20,963 Classic parasitic virus
Hamweq 17,102 Worm
FakeVimes 14,899 Rogue
Hupigon 14,553 Trojan

The top parasitic virus is Win32/Sality, a family of polymorphic file infectors that target Windows executable files with extensions .SCR or .EXE. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services.

The top ten also includes Win32/Ramnit, Alureon and Parite which Microsoft have classified as “evolved.” By this MS mean the virus combines earlier and later generations of malicious infection techniques. In the case of Ramnit, Scott Molenkamp noted that the virus was trying to use an old school Office file infection and he remarks that “it is interesting to see that malware authors continue to experiment with both old and new techniques.”