Anti-Malware Engineering Team

Microsoft acquires Komoku

Today, Microsoft announced the acquisition of Komoku to add to Forefront and Windows Live OneCare's technological capabilities.  I would like to take this opportunity to review the year since my "Hello World" blog post and again provide insight on where we will be going.

A year ago, I noted our test results were "not stellar" :-). We were lacking VB100 certification, and independent test results placed us ten to fifteen points behind where we hoped to score.  I then promised that we were going to do our best to obtain the VB100 every time after. And while always concentrating on what was important—the malware most likely to affect our users—we brought our test scores on par with the rest of the industry. This year is going well, and we now have test results again to see how we delivered on those promises.

Virus Bulletin continues its bi-monthly VB100 Awards, and both Forefront and Windows Live OneCare have obtained VB100 Awards each time they were considered, five in total.  That is no simple task as many products, some sporting incredible streaks previously, managed to have that streak broken in that time.  We continue to maintain our certifications by ICSA Labs (www.icsalabs.com) and West Coast Labs (www.westcoastlabs.org).  Additionally, we now seek and obtain “Cleaning” certification.  That means malware removal is now also being certified.

In the area of test scores, we attained the level where we are competitive in our detection rates.  AV-Comparatives (www.av-comparatives.org), which had rated us a Fail with 82.4% last year, now rates our detection as Advanced at 93.9%.  At the same time, AV-Test (www.av-test.org) shows our detection rate to be 97.8%. This is above most of the other products listed, including those we consider our peers.  Last year, I had said, "You will see our results gradually and steadily increase until they are on par with the other majors in this arena.  And soon after, they will need to catch up to us!"  I think we are somewhere between those two sentences.

But, why the difference between the two scores?  Isn’t that a significant difference?

AV-Test used malware exclusively from the two months prior to its test.  AV-Comparatives, on the other hand, used malware stemming up to three years past.  The higher detection of more recent malware highlights our dedication to protect our users from malware that they will more likely encounter.  Malware older than a year, or even six months, that hasn't been seen in that time, is not likely to be encountered again.  Malware writers are more keen to create new malware that none of the security products detect than to reuse old malware that some already detect.  This issue of meaningful testing is an area that the newly forming Anti-Malware Testing Standards Organization (AMTSO) seeks to address.

So, are we “stellar” yet?  That would imply that we are satisfied with where we are.  So, the obvious answer is that we will never feel satisfied. 

AV-Test.org tests more than just malware detection.  There are criteria where we still need to improve.  Among them are rootkit detection, generic/proactive capabilities and response time. 

Response time is a component in how we support our users.  Now, with fully staffed Research Labs in Dublin (headed by Katrin Totcheva) and Melbourne (headed by Jakub Kaminski) and beefing up Redmond with the addition of Joe Hartmann, we are well suited to do our best to support our users.

And now back to the acquisition of Komoku.  The addition of Komoku, especially its talented core of researchers, will add to our proactive capabilities in detecting zero-day vulnerabilities and improve rootkit detection.  We are very excited and hope soon to conquer these next challenges.

-- Jimmy Kuo

For additional information visit: http://blogs.technet.com/forefront/archive/2008/03/20/microsoft-acquires-komoku.aspx

MBR rootkit: VirTool:WinNT/Sinowal.A report

This week you may have heard or read about a new rootkit that has been reported in the wild that uses the Master Boot Record (MBR) as its Auto-Start Entry Point (ASEP).  The malware is being called VirTool:WinNT/Sinowal.A.  First we want to let you know that if you use any of the Microsoft antivirus technologies (Windows Live OneCare, Forefront Client Security, Forefront Security for Exchange or Windows Live OneCare Safety Scanner), you are already protected from this threat as of definition version 5364.0 and higher.  Next, we want to talk about the use of the MBR as an ASEP by which to kick off the malware loading process and some of the interesting consequences of using this technique.

There are several binaries in the wild which try to install this rootkit. All the known variants are detected by Microsoft antimalware products using two generic signatures: PWS:Win32/Sinowal.gen!C and PWS:Win32/Sinowal.gen!D. 

This malware attempts to modify the MBR so that it can control what gets read from the disk into memory and execute very early in the boot process.  After the modified MBR is executed, it reads additional malicious code into memory which modifies the NT kernel to force it to load a malicious driver that has been stored at the end of the physical disk (The driver will not be visible while the infected OS is running.).  Once the driver is loaded into the kernel, it behaves just like a standard kernel mode rootkit, providing covert and stealth network backdoor functionality by hooking low level APIs to attempt to avoid detection.

Here are some interesting things about this malware:

First, the installer for this rootkit needs to modify the MBR in order to ensure that the rootkit can persist across reboots.  It does this by using the CreateFile API attempting to open “\Device\Harddisk0\DR0” for write access.  Using the CreateFile API in this way (for direct / raw disk access) requires administrative privileges as mentioned in this KB article: http://support.microsoft.com/kb/q100027.  So if you are logged into Windows as a standard user or if you are using Windows Vista with UAC enabled, even if you accidentally run the malware installer or it runs via some exploit code, it will be running with insufficient privilege to modify the hard disks MBR; thus it will not be able to persist a system restart.

Next, the perceived strength of this new rootkit, its lack of a visible footprint in the registry and file system due to the use of the MBR as the ASEP, is also a big weakness!  If you suspect that you have a system that is infected with this rootkit, to prevent it from loading, all that is required is to write a known-good copy of a master boot record back to the disk to prevent the rootkit driver from being loaded on the next reboot!  Fortunately, we have made that a fairly painless process with the Windows Recovery Console and the ‘fixmbr’ command!

Here are some instructions for using the Windows Recovery Console:

Windows XP instructions: http://support.microsoft.com/kb/314058 (just type ‘fixmbr’ in the console)

Windows Vista instructions: http://support.microsoft.com/kb/927392 (just type ‘bootrec.exe /fixmbr’ at the console)

Microsoft Security Intelligence Report (January – June 2007) is Now Available

One of the Microsoft Malware Protection Center’s (MMPC) goals is to share the valuable data, insights and expertise we have with customers on a regular basis in an effort to help customers better understand the changes occurring in the threat landscape and improve their defenses accordingly.  We just released the third volume of our threat report, called the Security Intelligence Report (SIR). The SIR shares the conclusions drawn by our research team using data gathered from the Microsoft Malicious Software Removal Tool (MSRT), Windows Defender, Windows Live OneCare, Windows Live OneCare safety scanner, Exchange Hosted Services, and Forefront Client Security (FCS).  The net of this, is threat related data from several hundred million Windows based systems.

The MMPC partners with several groups within Microsoft to make the SIR a unique threat report.  The Microsoft Security Response Center (MSRC), the Trustworthy Computing (TwC) group and numerous product groups all contribute to the report.  In this volume of the SIR, the MSRC has written a couple of sections on software vulnerability disclosures and exploits.  Here’s an example of one observation by the MSRC:  The number of disclosed vulnerabilities across the software industry continues to climb, with more than 3,400 new vulnerabilities disclosed in 1H07. But according to the  data we’ve gathered this number actually represents a decrease from 2H06, the first period-to-period decline in total vulnerabilities since 2003.  Another trend identified by the MSRC is that while the number of vulnerabilities continues to increase, the ratio of exploit code available for those vulnerabilities is on a slight decline.

We have been listening to feedback from customers, partners and analysts regarding what they liked in past releases of the SIR and what they thought could be improved.  Based on that feedback we have made some big changes in this new volume of the SIR that I hope readers will like.  Please keep the feedback coming!  Some of the changes we made in the new SIR include:

·         The report includes a new section on Software Vulnerability Exploits, which is authored by the MSRC. 

·         The report now has a new look and feel which includes an executive summary as well as customer guidance (strategies, mitigations, and countermeasures) in each section of the report

·         A ten page “Key Findings Summary” is also available which provides an executive summary of the 92 page SIR.  This summary is available in the following languages: Chinese (Simplified), Chinese (Traditional), English, French, German, Italian, Japanese, Korean, Portuguese (Brazil), Russian, Spanish

·         From the data in the SIR we can see that the trends continue in a direction that indicates attackers are financially motivated and are adjusting their tactics along with constantly modifying the threats, both malicious and potentially unwanted (you can read more about what distinguishes each of these in the report)  they use to support this goal.  Some examples of findings in the new SIR:

·         Significant increases in categories, such as Trojan downloaders, potentially unwanted software (which includes rogue security software), and exploits, suggest that distribution of potentially unwanted software is less and less a matter of a normal affiliate model and more often malicious and/or criminal in method and intent.

·         The MSRT removed significantly more malware in 1H07 than in previous periods.  It removed malware from 1 out of every 217 computers in 1H07, compared to 1:409 in 2006 and 1:359 in 2H05.

·         We found 65% less Potentially Unwanted Software and 60% less malware on computers running Windows Vista than on computers running Windows XP SP2.

You can read more in the SIR: www.microsoft.com/sir

Thanks,

Vinny Gullotto

Back from Vienna/VB2007

Hi again, WOW so a month now since the VB2007 Conference in Vienna, Austria.  Vienna was beautiful!

Where has the time gone, since then!?

I couldn’t let too much more time pass before saying a few words, as I’m finally off the road to be able to sit and gather some thoughts on it.

 We (The Microsoft Malware Protection Center, a.k.a The MMPC) were a platinum sponsor of this year’s conference and many folks from the team traveled far and wide to get there from our Ireland, Australia, and U.S. labs to attend and present at the event. 

I want to thank all who attended my Sponsor's Presentation at the conference.  During the presentation I gave an overview of Microsoft’s entry into the anti-virus market, how we have been working to continually improve our research and response capabilities, and also introduced some of the key industry hires we have made over the past year.  

As usual, it was great to see everyone; the best and brightest folks in the anti-malware industry who do this work; keep you protected and informed and talk about what’s been, what’s next and what needs to be done.  It also gave attendees the chance to meet and discuss important issues with some of our researchers, including Jimmy Kuo, Katrin Totcheva, and Jakub Kaminski, all who’ve been in attendance at VB for years. Folks also got to meet some of the team who attended for the first time, like Alex Carp, Kyle Larsen and Todd Gaiser.

We had some productive discussions with attendees regarding new threats to Internet users, anti-virus testing methodologies, how the MMPC is evolving, and where the best restaurants in Vienna are located. J  Much discussion went into how to transform the WildList to better represent the real threats of today.  Those conversations, as I’m sure you can imagine, were quite lively and just an opinion or two were shared.

 We look forward to the changes that are likely to develop from these discussions.  I really enjoyed the session on sample sharing that Dmitry Gryaznov and Joe (Feech) Telafici presented, as well as the discussions that followed – especially the interview Feech gave to the “BBC” J.  The explosive growth in malware presents some interesting engineering challenges, like in the area of storage that the anti-malware industry needs to address.

Onward we continue to go, both as a collective industry and as individual organizations, to drive these programs and change forward. I’m looking forward to see how some of these conversations play out; I clearly plan to have the MMPC at the forefront (hehe) of those conversations, as we have had many customers tell us they want and expect us to be there. They can count on it.

October and November are busy months for us…stay tuned!

Vinny Gullotto

Storm Drain

Over the past few months, there has been talk about a wave of malware known commonly as “Storm”.  “Storm” has been noted to be responsible for Distributed Denial of Service (DDoS) attacks, mass phishing emails, spam, botnets, and all sorts of online malicious activity.

While the name “Storm” was adopted by press, security companies had already adopted a myriad of names for the set of malware that encompasses this attack.  Here at Microsoft, we refer to certain components as Win32/Nuwar and others as Win32/Tibs.  Other names such as Zhelatin and shorter names associated with brief attacks have also been used, such as e-card or nfltracker.  As I noted, there are many different components, each with its own specialized functionality, so over time, many names have been used.

In August, Microsoft’s Malware Protection Center (MMPC), the group of researchers responsible for each month’s additions to the Malicious Software Removal Tool (MSRT), decided to add this family to the September MSRT release based on its prevalence.  The MSRT updates are released monthly in conjunction with Microsoft’s security software updates, and are free to the public in an effort to remove prevalent malware from the Windows eco-system and improve everyone’s ability to enjoy the Internet.  With more than 350 million machines around the world that run this program, it requires great care and planning to release each new version.

After much work and testing, we made this month’s MSRT available for download September 11, and nowafter one week, we would like to share some of the statistics with you.  But before I do, the researcher in me requires that I give you the caveats.  First, MSRT is targeted against very specific known malware.  It is well known that the “Storm” attacks are engineered by criminals who update their malware frequently.  As a result, we are in an endless chase.  But that doesn’t mean we shouldn’t try to make things better.  Also, once we decide to take on a family in the MSRT, we continue the assault on that family moving forward, so we will keep at it.  Because of all the testing that has to be done, we have to freeze our signature additions weeks in advance to make sure we have ample time to do the testing required to release a product as error free as possible (since even a small percentage of errors will impact thousands or millions of people). 

Finally, to the numbers (numbers as of 2PM Tuesday, PDT).

The Renos family of malware has been removed from 668,362 distinct machines.  The Zlob family has been removed from 664,258 machines.  And the Nuwar family has been removed from 274,372 machines.  In total, malware has been removed by this month’s MSRT from 2,574,586 machines.

So, despite some public concern in the press and among researchers about the “Storm” worm, it ranks third among the families of malware whose signatures have been added to the MSRT. 

Malware Protection Center Portal v1 Live!

Hey all, if you recall, back in April we released the PREVIEW version of our new portal affectionately known as the Microsoft Malware Protection Center Portal.  Since then we’ve received loads of feedback from customers and partners on what they like about the portal and the features they really want to see now and in the future. All of it great stuff!

The official Version 1 of the Microsoft Malware Protection Center Portal is now live!

You can check it out here:  http://www.microsoft.com/security/portal/

Some of the features you asked for and we included are:

·         Access to our malware encyclopedia. 

o        When you need to do some research on a particular threat or family you can search or browse our encyclopedia and get the details we’ve written about on it.

·         Download our antivirus and/or our antispyware signatures. 

o        We recommend updating daily, the products will do it for you, BUT if want you can do it yourself for the Forefront client or Windows Defender products  both the 32 bit and 64 bit systems.

·         Threat and Potentially Unwanted Software Telemetry. 

o        The portal provides information on the top threats and potentially unwanted software that we are observing and that’s being reported to us by YOU. Each top ten category  provides links to read up on those listed

·         Tools and Resources. 

o        We have a collection of links to tools and resources that we think can be useful and interesting to you including blogs and the Microsoft Security Intelligence Report.

·         Microsoft Security Intelligence Report. 

o        And of course no blog would be complete without me mentioning the SIR, we have a page dedicated to hosting the various reports we produce:  http://www.microsoft.com/security/portal/SIR.aspx 

And last but not least we have the Sample Submission feature! You got a file that you think is infected and want to know for sure?? Upload it to us, we’ll take a look and let you know.

This is just the start – literally a v1 release.  As always we want to hear what you think about the portal – the good, the bad, and the ugly (don’t be shy).  Please send us feedback and let us know which features you want to see in future releases.  mpcfb@microsoft.com

Take care, more soon!!

Vinny

My TechEd Summer Vacation

Hi again, just recently returned from MS TechEd in Orlando, oh it was HOT!

It was great to get a chance to meet some customers and partners face to face and discuss what’s happening at a more granular level today in the enterprise.  The issues they face are of course at the heart of what we’re providing solutions for and allows us to reprioritize where needed to make sure we’re addressing things daily as that’s how fast we see things happening at the moment, as I know others do as well. Oh the day of the boot sector infector are long behind us and the pace at which we all must move now is at lightning speed, ya gotta love it!

Some of the important questions and issues we discussed included things like Rootkit technology, naming conventions and the overall breadth of the problem today around spyware and what next generation of threats would we see.

In addition, there were many concerns about the never ending Bot problem and of course how the Microsoft Malware Protection Center will continue to grow to support customers globally.

My commitment to them was to return in some way shape or form and update them on our progress in these areas through this blog and next year at TechED

The customers that attended the presentation seemed a bit overwhelmed by the data we put together in our last Security Intelligence Report.

When I returned back to Redmond, one of the first things I did was go to the TechNet recording studios and record a Security Intelligence Report webcast.  If you don’t have the time to read the full report (http://www.microsoft.com/downloads/details.aspx?FamilyId=AF816E28-533F-4970-9A49-E35DC3F26CFE&displaylang=en ) this webcast is an easy way to hear about all the findings in the report and come up to speed on the malware trends we have been observing.

Check it out! 

http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032340085&Culture=en-US

There is more to come…stay tuned.

Vinny Gullotto

VB 100 Test Results Are In...

As I mentioned in my last blog post, our researchers and engineers in the Microsoft Malware Protection Center have been focusing their efforts on protecting customers from current, in the wild threats, and established an undertaking to achieve the next VB100 award.  Today Virus Bulletin announced the results of their latest tests and Windows Live OneCare as well as Forefront Client Security have both been awarded their VB100 award. 

http://www.virusbtn.com/vb100/index

-- Jimmy Kuo

Continuing to move forward – the Microsoft Malware Protection Center

Fresh off our visit to Japan, where we discussed issues important to the Microsoft Malware Protection Center, we continue to move forward with our goal of being a premier anti-virus research and response center (R&R).   Last week’s news of our new global response centers has been well received and that’s excellent!  It’s important for our customers that we succeed at the set of goals we’ve declared and get ourselves into a leadership position not only to support the applications we are delivering, but to fine tune some of the processes we’ve created to better support our partners, the industry and the community at large who rely on MS and others to protect them from today’s threats.

When I arrived 8 months ago, MS had the makings of a team that was poised to break through to the next level of R&R. There were some key elements missing; I believe we have added those in the past 6 months and are prepared to see our goal realized. One of the key elements we added was opening the new centers in Dublin and Tokyo, and we have plans to add more centers soon. In addition, the new portal, which may be the most significant change, is now a home to display the day to day workings of the team, as well as be a place everyone can visit to see what we uncovered and track.

Check it out! www.microsoft.com/security/portal

On a more important note, our detection numbers are continuing upwards. I know this is a subject of ongoing interest for many, and we continue to push the team hard in this area because in the end it will be the most visible measure of our success.

 And finally, we established some key areas and defined a set of benchmarks imperative for us to achieve world class response credibility. This, of course, is the essential element given today’s targeted attacks are more advanced than ever before.

We’ve applied the basic principles our partners, that come before us have to provide world class response to customer queries (including automated responses and queue processing to customer submissions and of course analysts globally to respond regionally) and we have the added element that is unique to MS, which is the insight into the more than 400 million Windows users worldwide.

These customers have consistently asked us to provide support to the ever growing threat of viruses, worms, Trojans and unwanted programs that plague their environments today.

I’d ask that you continue to check back as we provide updates straight from the labs as well as from those watching and monitoring our success. Just this past week we released a new volume of our Security Intelligence Report.  The report outlines the trends that we have observed in the malicious software and potentially unwanted software landscapes over the last six months (http://go.microsoft.com/fwlink/?LinkID=88436&clcid=0x409). 

We have a lot more in store and a lot more that we can be counted on to deliver.

Thanks,

Vinny Gullotto

Hello world

printf(“hello world\n”);

This is Jimmy Kuo of the Microsoft Security Research & Response team (MSRR).  (What a wonderful thing to say and see written down.). 

Recently, there have been some tests that have brought into question the detection capability of Windows Live OneCare.  Customers and partners have asked us to address these concerns and because the detection capability in Windows Live OneCare is the responsibility of the MSRR team I’d like to address those concerns.  (Addendum: The OneCare team has just posted their comments on this issue on their blog at http://windowsonecare.spaces.live.com/ )

When we think about priorities we put our customers first and in doing that we ask ourselves, “What do our clients want?  What do they need?” 

In my years in this business, the answer to the first question is some form of, “I want to be able to sleep soundly each night knowing that when I wake up, my world hasn’t fallen apart.  And if something does happen, I can rely on my vendor to easily resolve it for me.”  To that end customers using Windows Live OneCare are supported by Customer Support and Service and the MSRR team.  Through those two channels they have the support structure needed to address any service request that comes to us at any hour of the day from anywhere in the world. 

What our clients “need” is for us to identify what things are important and be sure to address them before they become an issue for our users.  This is why MSRR is focused on adding detections for the most prevalent and active malware in the wild and we do that by combining our breadth of data with experienced malware researchers and automated analysis techniques to rapidly respond to the threats that will have the greatest impact to our customers.   To that end, while the recent detection numbers were not stellar, we look to ICSA Labs (www.icsalabs.com), West Coast Labs (www.westcoastlabs.org), and Virus Bulletin (www.virusbtn.com) to make sure we are covering what is most important.  ICSA Labs and West Coast Labs are certification bodies (ICSA Labs in the United States, West Coast Labs in Europe).  Virus Bulletin is the industry rag, but they have the most highly respected and longest running tests, and in so doing, set many of the industry’s testing standards.  We will keep on working with these certification bodies to maintain our certifications, and to acquire the VB100 Award each time we are tested by Virus Bulletin.  We missed capturing a VB100 in the last test because we missed one virus.  So, as a result we have adopted new methodologies to remedy that.  The methodology we adopted is to look more closely at families of viruses that have been found to be “in the wild” (ITW) (found actively spreading among users).  This means someone working off the same code base is actively spreading the malware of this family, and thus more of the same family will likely become ITW in the future.  And we want to be able to detect them with signatures we write today rather than after they’ve been loosed upon the public.

Furthering on the previous concept, we look to many other feeds that tell us similar things.  The MSRT (Windows Malicious Software Removal Tool) is one that can tell us which families are more active so we can anticipate more of those future variants.

That still leaves many samples of malware that the recent tests showed that we still do not detect.  As I noted, there is data that can tell us which, if any, of that set is truly important (those actively being spread ITW) and those are added ASAP.  The rest are being worked on and as promised, our numbers will get better and better.  Because, another thing that I know that our clients want, especially the system admins who use our product, is, “I want you to keep my boss off my back so I can have time to do my job!”  And even if the company networks are running smoothly, the boss will see those test results, and bug the admins about them.  So it’s also about making sure our customers *feel* better protected when using our products.

So while we concentrate on what’s truly important (malware actively being spread ITW), we will also be bringing up these other test detection numbers. You will see our results gradually and steadily increase until they are on par with the other majors in this arena.  And soon after, they will need to catch up to us!

Vinny Gullotto, General Manager of Microsoft Security Response and Research, tells me that he’ll be following up on this post within the next week and talk about some of the additional steps we are taking to continue growing our world class research and response team.  He and I are both accustomed to working in, and building, world class response teams and know that Microsoft is committed to creating one that serves our customers, works with the anti-malware community, and supports the eco-system as a whole.

Hopefully, I’ve provided some insight into the workings of how we are prioritizing and focusing on the work we do to support our users, presently and in the future.  We know that we are in a service industry.  We’re ramping up to be able to handle that and Microsoft is making sure our customers are in good hands by hiring some of the best and brightest in the antivirus industry.  For our current users, we have certification bodies that make sure we are doing what’s necessary and important.  And we have other monitors to determine what’s spreading and thus are confident that we can protect our users against anything they might encounter in real life.  And we will  bring our numbers up as we know our customers want that to feel better protected, and, well, to get our bosses off our backs.  J

Virus Bulletin 2006

A contingent from our antimalware team attended the Virus Bulletin conference in Montreal, Canada two weeks ago- 12 of us in all.  Matt Braverman and I were both presenters and I also moderated a panel discussing progress made by the Anti-Spyware Coalition. 

My paper entitled "I Know What You Did Last Logon" was a look into monitoring software from the perspective of privacy and the boundaries of appropriate versus inappropriate use for such technology.  I examined this from several angles including a discussion of several court cases that illustrate both sides of the discussion.  I also drilled into several pieces of malware for a more detailed discussion of the technical methods employed by monitoring software.

Matt's paper, entitled "Behavioral Modeling of Social Engineering-Based Malicious Software" focuses on malware that leverages social engineering to infect a computer. It reviews techniques used both in the past and present and uses up-to-date data from the MSRT to differentiate those social engineering techniques which have been particularly successful. For example, we've found that using "generic conversation" techniques in an email seems to be one of the most effective ways to attract a user to executing an attachment to that email. Such techniques usually leverage short email subjects and bodies (e.g. "Here is that document you asked for") to try and replicate conversations that may have occurred "in real life" between the email recipient and the sender which the email may spoof.

Copies of both papers are now available through the download center, let us know what you think.

-- Jeff Williams
Security Research & Response

Security Intelligence Report

This week at RSA Europe in Nice, France we released a report detailing the security landscape for the first half of 2006. The report lays out details collected through our various antimalware technologies. The report highlights a number of trends such as a reduction in the number of rootkits and trojans detected by the Malicious Software Removal Tool (MSRT) compared to the second half of 2005, social engineering as a popular and successful method of malware distribution, the frequency that specific potentially unwanted software is kept or removed and specific locales which have the highest instance of infection.

Some of the key points we think our readers will be interested in are:

• Threats against consumers and businesses are continuing to become more targeted and motivated by financial gain, with backdoor Trojans and bots continuing to comprise a significant percentage of the malicious software detected by Microsoft anti-malware offerings;
• Social engineering continues to be a popular means of spreading malware, especially when sent over e-mail and peer-to-peer (P2P) networks;
• Rootkits are likely to continue to be popular for targeted, stealth intrusions.

The data used to identify these trends comes primarily from the Malicious Software Removal Tool and Windows Defender as well as Windows Live OneCare, Windows Live One Care safety scanner, and Microsoft Exchange Hosted Filtering. In the six months covered by the report these tools cleaned nearly 27 million pieces of malware or potentially unwanted software and blocked hundreds of millions of infected email messages.

Based on the data we analyzed and trends observed we also make specific recommendations for how you can better protect the systems that you manage.

You can find the full report here. We welcome your feedback.

Matt Braverman, Jeff Williams & Ziv Mador

Final release of Windows Defender (Build 1592)

It brings me great pleasure to announce the final availability of Windows Defender in English. The team has been working hard for over a year and fixed over 400 bugs in the areas of stability and reliability since Windows Defender (Beta 2). We plan to release localized versions in the next few months including but not limited to German, Japanese, French and Spanish. All in all, we plan to deliver over 20 localized versions of Windows Defender.

We are recommending that current Beta 2 customers upgrade to the final release of Windows Defender since Beta 2 will expire on December 31st, 2006. We will also send a notification to upgrade in the next few weeks to current customers, so be on the lookout. Finally, as a part of Microsoft’s ongoing security commitment, we are offering 2 free support incidents for our customers. If you are having any issues with Windows Defender during scanning, installation, detection or removal, you can call our support services and we will help you resolve the issue.

Lastly, I want to thank the Anti-Malware engineering team for all their hard work. I believe that Windows Defender has done a tremendous amount to help make millions of computers around the world more secure. I also want to thank our great community of testers and MVPs who have made this release possible by testing and reporting bugs throughout our development cycle. We couldn’t have done it without you!

Now, go upgrade and install Windows Defender today!

Adam

Testing A New Definition Update Publishing Process for Windows Defender

Hi Folks,

Adam here from the antimalware team. I wanted to give you a heads-up that we will be testing a new definition update process in the next two weeks. Definition updates for Windows Defender (Windows Vista and current platforms) will be publishing daily (Monday-Friday) starting from August 1st and will continue for 2 weeks until August 15th, 2006. We are testing a new end-to-end definition update release pipeline that will allow us to publish definition updates at a higher frequency and we would like to get a better understanding of issues that may arise due to this higher frequency update process. At the end of this period, Windows Defender updates will return to our normal twice weekly schedule.

We have been working the last few months so that our new signature release process will be able to publish updates much more frequently and on a flexible schedule. As the next step, we will start releasing Windows Defender updates every day (Monday to Friday) within a trial period for the next two weeks ending August 15th, 2006. Again, we will return to a twice weekly release schedule after August 15th, but with this new process will be able to release updates on a more flexible schedule at any day including weekends and holidays for emergency situations. We want to understand how well the new process satisfies a daily release cycle, and receive customer feedback during this trial period, so please post your definition update experience to our newsgroups.

We hope that this test of our new process shows the progress that we’re making towards providing better and more timely protection for our customers as we head towards our final release.

Thanks,

Adam

Antimalware Team Releases MSRT White Paper

Hello there. I'm writing to you from the Microsoft TechEd conference in Boston. This event attracts over 10,000 attendees interested in learning about current and future Microsoft products. It's also a great place for getting feedback from our customers and we'll share some of that feedback next week.

Yesterday, the Microsoft Antimalware team released a new white paper entitled "Windows Malicious Software Removal Tool: Progress Made, Trends Observed". The paper highlights Microsoft's uniquely broad understanding of the malware landscape, illustrating how the tool has removed 16 million pieces of malicious software from 5.7 million unique computers from January 2005 to March 2006. On average, the tool has removed at least one instance of malicious software from every 311 computers it has run on. A core objective of Microsoft's release of the tool is reducing the impact of malicious software on Windows customers and the report describes how removals of 41 of the 61 malware families have decreased with 21 of those families exhibiting a decrease by more than 75%.

The report goes onto highlight several trends related to malicious software categories, such as backdoor Trojans (including bots) and rootkits. For example, of the 5.7 million unique computers from which the tool has removed malware, a backdoor Trojan was present in 62% of the cases. We have noticed that there has been some confusion over this statistic so, to be clear, keep in mind that this percentage is of the population of infected computers. In other words, when the tool does find an instance of malware per every 311 computers, there is a 62% chance it will be a backdoor Trojan. This statistic does not mean that the tool has removed a backdoor Trojan from 62% of the computers the tool has run on.

What does this mean for our customers?  Our goal is to provide our customers and partners with an accurate understanding of the types of threats that exist so they can take appropriate action to ensure that they are protected.  It also means that we’re able to use this data, and data gathered from other resources, to continually evolve our understanding of the malware environment and to continually improving the way we respond to customers when faced with malicious threats.  

We hope that you find the data and guidance provided by the paper interesting and actionable. Any feedback is welcome and will be taken into consideration for future threat reports produced by the Microsoft Antimalware team.  

-Matt

PS Below find a picture of some of the antimalware team at TechEd. From left to right: Adam Overton (Group Program Manager), Mike Chan (Senior Product Manager), Matt Braverman (Program Manager), Jason Joyce (Program Manager), and Sterling Reasor (Program Manager).