Anti-Malware Engineering Team

We have moved!

blogmalware — Fri, 20 Jun 2008 05:31:00 GMT

To ease navigation and be more in synch with our security colleagues within Microsoft, we have moved to a new blog address: http://blogs.technet.com/mmpc

We hope you like the new look. Please remember to redirect any links to our new web address.

When SQL Injections Go Awry, Incident Case Study

blogmalware — Sat, 31 May 2008 04:37:12 GMT

It seems to be the "in-thing" these days - using an automated tool to perform SQL injections against vulnerable sites across multiple domains. Although the attack method isn't new, some sites are hit multiple times, as evident by a corruption of the injection code when one attacker overwrite a previously injected record. Below, you can see cached search results when searching for a specific known script injection:

Image 1: Search results indicating embedded scripts - multiple attacks

In the above highlighted portion, note the beginning of an original script tag injection being superimposed with another script tag injection. Below, you can see the effect of multiple attacks on another site and as evident in the page source:

Image 2: HTML source indicating multiple embedded script tags from various SQL injection attacks

Speaking of SQL injections however, one has to wonder - what's all the hype? What are attackers after or what is their motive? It would seem that there are several motives, but one motive that may (or not) be surprising is the uprising in injecting code that executes multiple exploits in an attempt to download and execute game password stealers. Let me say that again - game password stealers.

We continue to monitor injected scripts, and add detections to cover various iterations - the threats are detected as "Trojan:JS/Redirector":

Image 3: Microsoft Forefront Client (FCS) Security Warning alert

Our friends over at ShadowServer have compiled a list of offending domains that are either compromised and don't know it, or are under control of an attacker and are hosting (or did host) malicious scripts or executables. Below is a list as of May 14 2008 of domains, courtesy of this link:
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514

Domain

nihaorr1.com
free.hostpinoy.info
xprmn4u.info
nmidahena.com
winzipices.cn
sb.5252.ws
aspder.com
11910.net
bbs.jueduizuan.com
bluell.cn
2117966.net
s.see9.us
xvgaoke.cn
1.hao929.cn
414151.com
cc.18dd.net
yl18.net
kisswow.com.cn
urkb.net
c.uc8010.com
rnmb.net
ririwow.cn
killwow1.cn
qiqigm.com
wowgm1.cn
wowyeye.cn
9i5t.cn
computershello.cn
z008.net
b15.3322.org
direct84.com
caocaowow.cn
qiuxuegm.com
firestnamestea.cn
a.ka47.us
a188.ws
qiqi111.cn

Approximate # of
Pages Injected
468,000
444,000
369,000
140,000
75,000
69,000
62,000
47,000
44,000
44,000
39,000
39,000
33,000
20,000
17,000
15,000
15,000
13,000
13,000
9500
7000
6000
4000
3600
3500
2800
2500
2300
1600
1200
1100
900
800
700
600
500
230

I was reviewing the 'qiqi111.cn' attack and learned that the malicious script requested files from these domains: 'pigzd.cn' and 'dota11.cn'. I decided to follow the white rabbit, taking the first domain and I began to retrieve the malicious script 'am6.htm' (identified already as "Exploit:JS/Repl.B").

The script 'am6.htm' contains a handful of attack methods, attempting exploits to download and execute more code:

Image 4: Source code of 'am6.htm' illustrating the attack methods

I know what you're saying, "what the heck, what are all these iframes?", so let's take a quick look at them:

This attack focuses on systems that have not applied Microsoft Security Bulletin MS06-014. The attack specifically targets a Microsoft Data Access Components (MDAC) ADO ActiveX Control "RDS.DataSpace" in order to execute arbitrary code, or in this case, another Web hosted script - identified as "TrojanDownloader:JS/Psyme.BA" - it tries to retrieve and execute an online game password stealer as a file named "mm.exe" (from the domain 'gf.ccves.cn')
This attack executes the ActiveX control for RealPlayer - this method also allows execution of code - identified as "Exploit:HTML/Repl.D"
This attack exploits a 0 day vulnerability in an Avatar ActiveX control for Ourgame GLWorld named "C:\Program Files\GlobalLink\Game\Share\GLAvatar.ocx" and referenced by its control "GLAVATAR.GLAvatarCtrl.1" - when the ActiveX control executes, it loads a script that contains a vulnerability against another ActiveX Control contained in 'GLIEDown2.dll', a library component of GLWorld; there isn't yet a CVE (Common Vulnerabilities) ID for this vulnerability, thus it's considered "0 day". It was issued a Bugtraq ID 29118, and as of the time of this writing there, public awareness of the vulnerability seems somewhat low, and not well discussed other than this blog entry, and one from Trend Micro - the HTML file 'axlz.htm' is identified as "Exploit:JS/Gdow.A"

Incidentally, there are other known exploits components of GLWorld (www.ourgame.com):
* Multiple Buffer Overflow Vulnerabilities within "HanGamePluginCn18.dll" referenced by this control:
HanGamePluginCn18.HanGamePluginCn18.1

* Stack-based Buffer Overflow Vulnerability within "GLChat.ocx" referenced by this control:
GLCHAT.GLChatCtrl.1

* Ourgame 'GLIEDown2.dll' ActiveX Control Remote Code Execution Vulnerability referenced by this control:
GLIEDown.GLIEDown.1
This attack exploits a vulnerability in Baofeng Storm StormPlayer ActiveX control - identified as "Exploit:Win32/Senglot.J"
This last method is an attack against an ActiveX control for Xunlei Thunder DapPlayer - this file was not available at the time of this writing

So with five opportunistic attacks, the odds increase in favor of acquiring some Internet nasties and we will continue to monitor these attacks.

Additional Resources

During our research, we analyzed some of the malicious scripts. More details about these scripts are available at our Microsoft Malware Protection Center Encyclopedia:
http://www.microsoft.com/security/portal/Entry.aspx?Name=Trojan:JS/Redirector.H
http://www.microsoft.com/security/portal/Entry.aspx?Name=Trojan:JS/Redirector.I
http://www.microsoft.com/security/portal/Entry.aspx?Name=Trojan:JS/Redirector.J
http://www.microsoft.com/security/portal/Entry.aspx?Name=Trojan:JS/Redirector.K
http://www.microsoft.com/security/portal/Entry.aspx?Name=Trojan:JS/Redirector.L
http://www.microsoft.com/security/portal/Entry.aspx?Name=Trojan:JS/Redirector.M
http://www.microsoft.com/security/portal/Entry.aspx?Name=Trojan:JS/Redirector.N

Additional resources and recommendations are available from the Security Vulnerability Research & Defense team: http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx

and from Bala Neerumalla, Microsoft Corporation, who discusses common coding mistakes in ASP code that can lead to SQL Injections in the following article: http://msdn.microsoft.com/en-us/library/cc676512.aspx

-- Patrick Nolan

Oderoor - all it's Kraked up to be?

blogmalware — Thu, 22 May 2008 06:12:52 GMT

Greetings from (sorta) sunny Melbourne, Australia! We’re the newest addition to Microsoft’s Security Research and Response global team. In arbitrary seating order we have: Jakub Kaminski, Scott Molenkamp, Hamish O’Dea, Heather Goudey, Raymond Roberts, David Wood, Chun Feng, Oleg Petrovsky, Hermineh Tchagatzbanian, Hil Gradascevic and Matt McCormack. In the same order we have: Skinny Latte w/ 1, Espresso, Skinny Latte w/1, Skinny Latte w/1, Latte w/1, Hot Chocolate, Latte, Cappuccino, Cappuccino and Latte. Try carrying all those coffees at once – it’s not easy.

After our inclusion of the Win32/Nuwar (alias Storm) family last September (http://blogs.technet.com/antimalware/archive/2007/09/20/storm-drain.aspx) and the dent we put in the Win32/Cutwail (alias Pandex) network in January this year, we thought we’d continue the anti-spam motif by targeting the Win32/Oderoor (ominously dubbed ‘Kraken’) network. Research shows botnets with cooler names are way scarier.

“Spam networks you say?” “Why spam networks?” – Oh, convenient question random person! Glad you asked! In our recently published Security Intelligence Report (http://www.microsoft.com/security/portal/sir.aspx *) it was found that around 96% of inbound messages to Exchange Hosted Services were blocked because they had spam on them. Spam all over them. The SIR also found that approximately 80% of all spam that (tries to) go through Hotmail is from a botnet of some sort. I know it’s hard to believe, but those are graphs and charts people. Graphs with bars. Bars of truth. Research shows that statistics never lie.

Since the bad guys aren’t paying for the hardware or bandwidth, they can send spam to their hearts content. All that’s needed is one in every few billion emails to fool someone into buying the pills (which don’t work by the way...) or giving up their bank account details (some nice man from Nigeria emailed them personally!) to make it a worthwhile industry.

In case you weren’t aware, the always interesting Joe Stewart over at SecureWorks recently published a list of the top spam botnets (http://secureworks.com/research/threats/topbotnets/). As is to be expected our old friends Nuwar and Cutwail were there, along with THE KRAKEN. Joe’s estimate was that the size of the network was around 185,000 nodes, and spewing around 9 billion emails per day. Research shows that 9 billion emails is, in fact, a large number of emails. There was some contention over at the Damballa (http://www.damballa.com ) camp, who thought the network was more like 400,000 nodes strong. Either way, that is a lot of infected machines.

Being the helpful lads they are, the guys over at DVlabs (http://dvlabs.tippingpoint.com/) thought they’d get to the bottom of the ‘Mystery of the Disappearing Botnet Nodes’ and take a peek at the network from the inside (http://dvlabs.tippingpoint.com/blog/2008/04/28/kraken-botnet-infiltration). Whilst this doesn’t really help us with the number estimate, they did manage to obtain 65,000 unique infected IP addresses, so now we only have to account for the other missing 125,000-335,000 nodes. With so many nodes around you’d figure people would be tripping over them all over the place. Sadly not. :(

When we first identified Oderoor as a distinct family back in September 2007, links to the bots were being spammed through IM and the files themselves were encrypted to the wazoo (well, they still are doing both of those things). It didn’t take long for us to get a hold of the situation, but for the most part vendor detection remained very low. For months afterwards, we were one of the few vendors to be detecting new variants as they came in (turns out we had got samples from as far back as May that year, however the encryption was fairly rudimentary). As is to be expected, the family shone brightly on our radar and was being considered for MSRT inclusion at around the time that Joe published his article. So it all worked out rather nicely :).

Finally, our perspective on the Win32/Oderoor botnet; what MSRT has found. The numbers tend to go up and down, so I’ve included the first week wrap-up. Extrapolating (since we know how these things tend to pan out), we can probably expect in the order of 300k distinct machines this month that were cleaned of Oderoor.

Win32/Oderoor MSRT removals-first week

Detections

Machines

Total:

463619

254073

Average/Day:

66231

36296

So our size estimate is somewhere in the middle of the SecureWorks and Damballa numbers. Of course our numbers are not the definitive answer. Whilst we run on 500 million machines and can get a pretty good idea of what’s going on, there are still a lot of machines out there that aren’t running MSRT; possibly because they don’t have automatic updates turned on.**

Question: How do these numbers compare to ‘Storm’ in the first few days?

Answer: Pretty close :)

If we take a look at the first week removal results from Nuwar, we can get an idea of the relative size of the network. The Cutwail removal numbers are included to complete the spam trio. I’ve also included the graph because graphs are impressive.

Win32/Nuwar MSRT removals – first week
	Detections	Machines
Total:	536581	319169
Average:	76654	45596

Win32/Cutwail MSRT removals – first week

Detections

Machines

Total:

213165

91290

Average:

30452

13040

So it would appear the Win32/Oderoor network is slightly smaller that the Win32/Nuwar network – around the 80% mark. It should be noted that the Nuwar numbers are a lower-bound (due to the way we detect them), so in reality it is likely slightly smaller again. The detections per machine are higher for Nuwar because there was/is more components than Oderoor’s standalone executable. Speaking of the standalone executable - as tends to happen with these things, the Oderoor authors put out a new version the day after MSRT’s release: Backdoor:Win32/Oderoor.gen!E. We love these games of cat and mouse. Vendor detection is still a bit sketchy.

And how well did Oderoor fare with respect to the other families in MSRT this month? It made the top 4 which is very impressive considering the other types of malware that are being targeted:

#1	Win32/Zlob
#2	Win32/Vundo
#3	Win32/Renos
#4	Win32/Oderoor
#5	Win32/Busky
#6	Win32/Rbot
#7	Win32/Cutwail

We’re in contact with the guys over in DVLabs who are going to take a look at their data to see if they noticed a drop from inside the network after MSRT’s release. We’re eagerly awaiting a post on their blog (http://dvlabs.tippingpoint.com/blog).

So was that Kraken botnet all it was Kraked up to be? I think yes. If we look at hype vs MSRT results, this botnet received a lot less hype than Nuwar’s network, but achieved pretty high infection numbers. If anything, it might even be understated. However hype is dependent on a botnet having something that makes it unique and interesting, such as Nuwar’s distributed peer-to-peer architecture. Encrypted communications over port 447 are ok but peer-to-peer is better I reckon. So perhaps it was just the right amount of hype. Juuuust right.

All Kraked out,

Matt McCormack

* - watch the Bret and Vinny show while you’re there. Vinny is our boss. He’s alright.

**- Seriously, running un-patched computers and being connected to the Internet is asking for trouble. It really is such a bad idea. It takes next to no time for an un-patched machine to get infected by some worm or another; this is one of the reasons we release MSRT to try and clean up the eco-system.

Microsoft acquires Komoku

blogmalware — Thu, 20 Mar 2008 21:50:00 GMT

Today, Microsoft announced the acquisition of Komoku to add to Forefront and Windows Live OneCare's technological capabilities. I would like to take this opportunity to review the year since my "Hello World" blog post and again provide insight on where we will be going.

A year ago, I noted our test results were "not stellar" :-). We were lacking VB100 certification, and independent test results placed us ten to fifteen points behind where we hoped to score. I then promised that we were going to do our best to obtain the VB100 every time after. And while always concentrating on what was important—the malware most likely to affect our users—we brought our test scores on par with the rest of the industry. This year is going well, and we now have test results again to see how we delivered on those promises.

Virus Bulletin continues its bi-monthly VB100 Awards, and both Forefront and Windows Live OneCare have obtained VB100 Awards each time they were considered, five in total. That is no simple task as many products, some sporting incredible streaks previously, managed to have that streak broken in that time. We continue to maintain our certifications by ICSA Labs (www.icsalabs.com) and West Coast Labs (www.westcoastlabs.org). Additionally, we now seek and obtain “Cleaning” certification. That means malware removal is now also being certified.

In the area of test scores, we attained the level where we are competitive in our detection rates. AV-Comparatives (www.av-comparatives.org), which had rated us a Fail with 82.4% last year, now rates our detection as Advanced at 93.9%. At the same time, AV-Test (www.av-test.org) shows our detection rate to be 97.8%. This is above most of the other products listed, including those we consider our peers. Last year, I had said, "You will see our results gradually and steadily increase until they are on par with the other majors in this arena. And soon after, they will need to catch up to us!" I think we are somewhere between those two sentences.

But, why the difference between the two scores? Isn’t that a significant difference?

AV-Test used malware exclusively from the two months prior to its test. AV-Comparatives, on the other hand, used malware stemming up to three years past. The higher detection of more recent malware highlights our dedication to protect our users from malware that they will more likely encounter. Malware older than a year, or even six months, that hasn't been seen in that time, is not likely to be encountered again. Malware writers are more keen to create new malware that none of the security products detect than to reuse old malware that some already detect. This issue of meaningful testing is an area that the newly forming Anti-Malware Testing Standards Organization (AMTSO) seeks to address.

So, are we “stellar” yet? That would imply that we are satisfied with where we are. So, the obvious answer is that we will never feel satisfied.

AV-Test.org tests more than just malware detection. There are criteria where we still need to improve. Among them are rootkit detection, generic/proactive capabilities and response time.

Response time is a component in how we support our users. Now, with fully staffed Research Labs in Dublin (headed by Katrin Totcheva) and Melbourne (headed by Jakub Kaminski) and beefing up Redmond with the addition of Joe Hartmann, we are well suited to do our best to support our users.

And now back to the acquisition of Komoku. The addition of Komoku, especially its talented core of researchers, will add to our proactive capabilities in detecting zero-day vulnerabilities and improve rootkit detection. We are very excited and hope soon to conquer these next challenges.

-- Jimmy Kuo

For additional information visit: http://blogs.technet.com/forefront/archive/2008/03/20/microsoft-acquires-komoku.aspx

MBR rootkit: VirTool:WinNT/Sinowal.A report

blogmalware — Fri, 11 Jan 2008 04:12:00 GMT

This week you may have heard or read about a new rootkit that has been reported in the wild that uses the Master Boot Record (MBR) as its Auto-Start Entry Point (ASEP). The malware is being called VirTool:WinNT/Sinowal.A. First we want to let you know that if you use any of the Microsoft antivirus technologies (Windows Live OneCare, Forefront Client Security, Forefront Security for Exchange or Windows Live OneCare Safety Scanner), you are already protected from this threat as of definition version 5364.0 and higher. Next, we want to talk about the use of the MBR as an ASEP by which to kick off the malware loading process and some of the interesting consequences of using this technique.

There are several binaries in the wild which try to install this rootkit. All the known variants are detected by Microsoft antimalware products using two generic signatures: PWS:Win32/Sinowal.gen!C and PWS:Win32/Sinowal.gen!D.

This malware attempts to modify the MBR so that it can control what gets read from the disk into memory and execute very early in the boot process. After the modified MBR is executed, it reads additional malicious code into memory which modifies the NT kernel to force it to load a malicious driver that has been stored at the end of the physical disk (The driver will not be visible while the infected OS is running.). Once the driver is loaded into the kernel, it behaves just like a standard kernel mode rootkit, providing covert and stealth network backdoor functionality by hooking low level APIs to attempt to avoid detection.

Here are some interesting things about this malware:

First, the installer for this rootkit needs to modify the MBR in order to ensure that the rootkit can persist across reboots. It does this by using the CreateFile API attempting to open “\Device\Harddisk0\DR0” for write access. Using the CreateFile API in this way (for direct / raw disk access) requires administrative privileges as mentioned in this KB article: http://support.microsoft.com/kb/q100027. So if you are logged into Windows as a standard user or if you are using Windows Vista with UAC enabled, even if you accidentally run the malware installer or it runs via some exploit code, it will be running with insufficient privilege to modify the hard disks MBR; thus it will not be able to persist a system restart.

Next, the perceived strength of this new rootkit, its lack of a visible footprint in the registry and file system due to the use of the MBR as the ASEP, is also a big weakness! If you suspect that you have a system that is infected with this rootkit, to prevent it from loading, all that is required is to write a known-good copy of a master boot record back to the disk to prevent the rootkit driver from being loaded on the next reboot! Fortunately, we have made that a fairly painless process with the Windows Recovery Console and the ‘fixmbr’ command!

Here are some instructions for using the Windows Recovery Console:

Windows XP instructions: http://support.microsoft.com/kb/314058 (just type ‘fixmbr’ in the console)

Windows Vista instructions: http://support.microsoft.com/kb/927392 (just type ‘bootrec.exe /fixmbr’ at the console)

After restoring a known-good MBR to the hard drive, you should be able to start Windows and perform an on-line antivirus scan to detect and remove any of the malware components or any other malware that may have been installed on the system and hidden by the rootkit. You can use the Windows Live OneCare Safety Scanner at http://safety.live.com to perform such a scan. It includes all the signatures for this malware.

The main driver makes outbound HTTP connections to a particular hard-coded IP address or domain. We presume this is so that it can receive instructions and/or register with its overseer. It may also be able to receive instructions which allow it to act as an HTTP proxy, or to download and execute further malware. The malware makes similar connections to a number of domains which appear to be pseudo-randomly generated.

More information about this malware is available in our virus encyclopedia write ups:

VirTool:WinNT/Sinowal.A: http://www.microsoft.com/security/portal/Entry.aspx?name=VirTool:WinNT/Sinowal.A

VirTool:WinNT/Sinowal.B: http://www.microsoft.com/security/portal/Entry.aspx?name=VirTool:WinNT/Sinowal.B

PWS:Win32/Sinowal.gen!C: http://www.microsoft.com/security/portal/Entry.aspx?name=PWS:Win32/Sinowal.gen!C

PWS:Win32/Sinowal.gen!D: http://www.microsoft.com/security/portal/Entry.aspx?name=PWS:Win32/Sinowal.gen!D

Support

•

Customers in the U.S. and Canada can receive technical support from Microsoft Customer Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.

•

International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit International Help and Support.

-- Robert Hensing and Scott Molenkamp

This is a case where the Microsoft Malware Protection Center (MMPC) worked closely with the Microsoft Security Response Center (MSRC) to analyze the threat and develop guidance and mitigations. Rob "EL CONQUISTADOR" Hensing (Microsoft Security Technology Unit) and Scott Molenkamp (Microsoft Malware Protection Center, Australia) contributed to this blog in an effort to share this information with customers and partners.

Microsoft Security Intelligence Report (January – June 2007) is Now Available

blogmalware — Thu, 25 Oct 2007 00:05:00 GMT

One of the Microsoft Malware Protection Center’s (MMPC) goals is to share the valuable data, insights and expertise we have with customers on a regular basis in an effort to help customers better understand the changes occurring in the threat landscape and improve their defenses accordingly. We just released the third volume of our threat report, called the Security Intelligence Report (SIR). The SIR shares the conclusions drawn by our research team using data gathered from the Microsoft Malicious Software Removal Tool (MSRT), Windows Defender, Windows Live OneCare, Windows Live OneCare safety scanner, Exchange Hosted Services, and Forefront Client Security (FCS). The net of this, is threat related data from several hundred million Windows based systems.

The MMPC partners with several groups within Microsoft to make the SIR a unique threat report. The Microsoft Security Response Center (MSRC), the Trustworthy Computing (TwC) group and numerous product groups all contribute to the report. In this volume of the SIR, the MSRC has written a couple of sections on software vulnerability disclosures and exploits. Here’s an example of one observation by the MSRC: The number of disclosed vulnerabilities across the software industry continues to climb, with more than 3,400 new vulnerabilities disclosed in 1H07. But according to the data we’ve gathered this number actually represents a decrease from 2H06, the first period-to-period decline in total vulnerabilities since 2003. Another trend identified by the MSRC is that while the number of vulnerabilities continues to increase, the ratio of exploit code available for those vulnerabilities is on a slight decline.

We have been listening to feedback from customers, partners and analysts regarding what they liked in past releases of the SIR and what they thought could be improved. Based on that feedback we have made some big changes in this new volume of the SIR that I hope readers will like. Please keep the feedback coming! Some of the changes we made in the new SIR include:

· The report includes a new section on Software Vulnerability Exploits, which is authored by the MSRC.

· The report now has a new look and feel which includes an executive summary as well as customer guidance (strategies, mitigations, and countermeasures) in each section of the report

· A ten page “Key Findings Summary” is also available which provides an executive summary of the 92 page SIR. This summary is available in the following languages: Chinese (Simplified), Chinese (Traditional), English, French, German, Italian, Japanese, Korean, Portuguese (Brazil), Russian, Spanish

· From the data in the SIR we can see that the trends continue in a direction that indicates attackers are financially motivated and are adjusting their tactics along with constantly modifying the threats, both malicious and potentially unwanted (you can read more about what distinguishes each of these in the report) they use to support this goal. Some examples of findings in the new SIR:

· Significant increases in categories, such as Trojan downloaders, potentially unwanted software (which includes rogue security software), and exploits, suggest that distribution of potentially unwanted software is less and less a matter of a normal affiliate model and more often malicious and/or criminal in method and intent.

· The MSRT removed significantly more malware in 1H07 than in previous periods. It removed malware from 1 out of every 217 computers in 1H07, compared to 1:409 in 2006 and 1:359 in 2H05.

· We found 65% less Potentially Unwanted Software and 60% less malware on computers running Windows Vista than on computers running Windows XP SP2.

You can read more in the SIR: www.microsoft.com/sir

Thanks,

Vinny Gullotto

Back from Vienna/VB2007

blogmalware — Sat, 20 Oct 2007 11:59:00 GMT

Hi again, WOW so a month now since the VB2007 Conference in Vienna, Austria. Vienna was beautiful!

Where has the time gone, since then!?

I couldn’t let too much more time pass before saying a few words, as I’m finally off the road to be able to sit and gather some thoughts on it.

We (The Microsoft Malware Protection Center, a.k.a The MMPC) were a platinum sponsor of this year’s conference and many folks from the team traveled far and wide to get there from our Ireland, Australia, and U.S. labs to attend and present at the event.

I want to thank all who attended my Sponsor's Presentation at the conference. During the presentation I gave an overview of Microsoft’s entry into the anti-virus market, how we have been working to continually improve our research and response capabilities, and also introduced some of the key industry hires we have made over the past year.

As usual, it was great to see everyone; the best and brightest folks in the anti-malware industry who do this work; keep you protected and informed and talk about what’s been, what’s next and what needs to be done. It also gave attendees the chance to meet and discuss important issues with some of our researchers, including Jimmy Kuo, Katrin Totcheva, and Jakub Kaminski, all who’ve been in attendance at VB for years. Folks also got to meet some of the team who attended for the first time, like Alex Carp, Kyle Larsen and Todd Gaiser.

We had some productive discussions with attendees regarding new threats to Internet users, anti-virus testing methodologies, how the MMPC is evolving, and where the best restaurants in Vienna are located. J Much discussion went into how to transform the WildList to better represent the real threats of today. Those conversations, as I’m sure you can imagine, were quite lively and just an opinion or two were shared.

We look forward to the changes that are likely to develop from these discussions. I really enjoyed the session on sample sharing that Dmitry Gryaznov and Joe (Feech) Telafici presented, as well as the discussions that followed – especially the interview Feech gave to the “BBC” J. The explosive growth in malware presents some interesting engineering challenges, like in the area of storage that the anti-malware industry needs to address.

Onward we continue to go, both as a collective industry and as individual organizations, to drive these programs and change forward. I’m looking forward to see how some of these conversations play out; I clearly plan to have the MMPC at the forefront (hehe) of those conversations, as we have had many customers tell us they want and expect us to be there. They can count on it.

October and November are busy months for us…stay tuned!

Vinny Gullotto

Storm Drain

blogmalware — Fri, 21 Sep 2007 03:35:00 GMT

Over the past few months, there has been talk about a wave of malware known commonly as “Storm”. “Storm” has been noted to be responsible for Distributed Denial of Service (DDoS) attacks, mass phishing emails, spam, botnets, and all sorts of online malicious activity.

While the name “Storm” was adopted by press, security companies had already adopted a myriad of names for the set of malware that encompasses this attack. Here at Microsoft, we refer to certain components as Win32/Nuwar and others as Win32/Tibs. Other names such as Zhelatin and shorter names associated with brief attacks have also been used, such as e-card or nfltracker. As I noted, there are many different components, each with its own specialized functionality, so over time, many names have been used.

In August, Microsoft’s Malware Protection Center (MMPC), the group of researchers responsible for each month’s additions to the Malicious Software Removal Tool (MSRT), decided to add this family to the September MSRT release based on its prevalence. The MSRT updates are released monthly in conjunction with Microsoft’s security software updates, and are free to the public in an effort to remove prevalent malware from the Windows eco-system and improve everyone’s ability to enjoy the Internet. With more than 350 million machines around the world that run this program, it requires great care and planning to release each new version.

After much work and testing, we made this month’s MSRT available for download September 11, and nowafter one week, we would like to share some of the statistics with you. But before I do, the researcher in me requires that I give you the caveats. First, MSRT is targeted against very specific known malware. It is well known that the “Storm” attacks are engineered by criminals who update their malware frequently. As a result, we are in an endless chase. But that doesn’t mean we shouldn’t try to make things better. Also, once we decide to take on a family in the MSRT, we continue the assault on that family moving forward, so we will keep at it. Because of all the testing that has to be done, we have to freeze our signature additions weeks in advance to make sure we have ample time to do the testing required to release a product as error free as possible (since even a small percentage of errors will impact thousands or millions of people).

Finally, to the numbers (numbers as of 2PM Tuesday, PDT).

The Renos family of malware has been removed from 668,362 distinct machines. The Zlob family has been removed from 664,258 machines. And the Nuwar family has been removed from 274,372 machines. In total, malware has been removed by this month’s MSRT from 2,574,586 machines.

So, despite some public concern in the press and among researchers about the “Storm” worm, it ranks third among the families of malware whose signatures have been added to the MSRT.

Another antimalware researcher who has been tracking these recent attacks has presented us with data that shows we knocked out approximately one-fifth of “Storm’s” Denial of Service (DoS) capability on September 11^th. Unfortunately, that data does not show a continued decrease since the first day. We know that immediately following the release of MSRT, the criminals behind the deployment of the “Storm” botnet immediately released a newer version to update their software. To compare, one day from the release of MSRT, we cleaned approximately 91,000 machines that had been infected with any of the number of Nuwar components. Thus, the 180,000+ additional machines that have been cleaned by MSRT since the first day are likely to be home user machines that were not notably incorporated into the daily operation of the “Storm” botnet. Machines that will be cleaned by MSRT in the subsequent days will be of similar nature.

The effort by criminals who try to usurp machines on the Internet for their criminal enterprise continues. The September release of the MSRT probably cleaned up approximately one hundred thousand machines from the active “Storm” botnet. Such numbers might project that the strength of that botnet possibly stood at almost half a million machines with an additional few hundred thousand infected machines that the “Storm” botnet perhaps were not actively incorporating.

Unfortunately, “the virus you are most likely to be infected with is the one that you most recently cleaned” because people with a habit of doing something are likely to repeat whatever they did. Despite so many machines having been cleaned recently by MSRT, the “Storm” botnet will slowly regain its strength. This highlights the importance that MSRT is only effective if it is used in conjunction with a real-time antimalware program or package.

As I said before, once we set our sights on a particular malware family, we will continue in that fight. So, we await the next release of MSRT when hopefully, we will take another bite out of crime.

-- Jimmy Kuo

Malware Protection Center Portal v1 Live!

blogmalware — Tue, 10 Jul 2007 07:25:00 GMT

Hey all, if you recall, back in April we released the PREVIEW version of our new portal affectionately known as the Microsoft Malware Protection Center Portal. Since then we’ve received loads of feedback from customers and partners on what they like about the portal and the features they really want to see now and in the future. All of it great stuff!

The official Version 1 of the Microsoft Malware Protection Center Portal is now live!

You can check it out here: http://www.microsoft.com/security/portal/

Some of the features you asked for and we included are:

· Access to our malware encyclopedia.

o When you need to do some research on a particular threat or family you can search or browse our encyclopedia and get the details we’ve written about on it.

· Download our antivirus and/or our antispyware signatures.

o We recommend updating daily, the products will do it for you, BUT if want you can do it yourself for the Forefront client or Windows Defender products both the 32 bit and 64 bit systems.

· Threat and Potentially Unwanted Software Telemetry.

o The portal provides information on the top threats and potentially unwanted software that we are observing and that’s being reported to us by YOU. Each top ten category provides links to read up on those listed

· Tools and Resources.

o We have a collection of links to tools and resources that we think can be useful and interesting to you including blogs and the Microsoft Security Intelligence Report.

· Microsoft Security Intelligence Report.

o And of course no blog would be complete without me mentioning the SIR, we have a page dedicated to hosting the various reports we produce: http://www.microsoft.com/security/portal/SIR.aspx

And last but not least we have the Sample Submission feature! You got a file that you think is infected and want to know for sure?? Upload it to us, we’ll take a look and let you know.

This is just the start – literally a v1 release. As always we want to hear what you think about the portal – the good, the bad, and the ugly (don’t be shy). Please send us feedback and let us know which features you want to see in future releases. mpcfb@microsoft.com

Take care, more soon!!

Vinny

My TechEd Summer Vacation

blogmalware — Fri, 29 Jun 2007 21:01:00 GMT

Hi again, just recently returned from MS TechEd in Orlando, oh it was HOT!

It was great to get a chance to meet some customers and partners face to face and discuss what’s happening at a more granular level today in the enterprise. The issues they face are of course at the heart of what we’re providing solutions for and allows us to reprioritize where needed to make sure we’re addressing things daily as that’s how fast we see things happening at the moment, as I know others do as well. Oh the day of the boot sector infector are long behind us and the pace at which we all must move now is at lightning speed, ya gotta love it!

Some of the important questions and issues we discussed included things like Rootkit technology, naming conventions and the overall breadth of the problem today around spyware and what next generation of threats would we see.

In addition, there were many concerns about the never ending Bot problem and of course how the Microsoft Malware Protection Center will continue to grow to support customers globally.

My commitment to them was to return in some way shape or form and update them on our progress in these areas through this blog and next year at TechED

The customers that attended the presentation seemed a bit overwhelmed by the data we put together in our last Security Intelligence Report.

When I returned back to Redmond, one of the first things I did was go to the TechNet recording studios and record a Security Intelligence Report webcast. If you don’t have the time to read the full report (http://www.microsoft.com/downloads/details.aspx?FamilyId=AF816E28-533F-4970-9A49-E35DC3F26CFE&displaylang=en ) this webcast is an easy way to hear about all the findings in the report and come up to speed on the malware trends we have been observing.

Check it out!

http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032340085&Culture=en-US

There is more to come…stay tuned.

Vinny Gullotto

VB 100 Test Results Are In...

blogmalware — Mon, 04 Jun 2007 21:56:00 GMT

As I mentioned in my last blog post, our researchers and engineers in the Microsoft Malware Protection Center have been focusing their efforts on protecting customers from current, in the wild threats, and established an undertaking to achieve the next VB100 award. Today Virus Bulletin announced the results of their latest tests and Windows Live OneCare as well as Forefront Client Security have both been awarded their VB100 award.

http://www.virusbtn.com/vb100/index

-- Jimmy Kuo

Continuing to move forward – the Microsoft Malware Protection Center

blogmalware — Wed, 16 May 2007 02:03:00 GMT

Fresh off our visit to Japan, where we discussed issues important to the Microsoft Malware Protection Center, we continue to move forward with our goal of being a premier anti-virus research and response center (R&R). Last week’s news of our new global response centers has been well received and that’s excellent! It’s important for our customers that we succeed at the set of goals we’ve declared and get ourselves into a leadership position not only to support the applications we are delivering, but to fine tune some of the processes we’ve created to better support our partners, the industry and the community at large who rely on MS and others to protect them from today’s threats.

When I arrived 8 months ago, MS had the makings of a team that was poised to break through to the next level of R&R. There were some key elements missing; I believe we have added those in the past 6 months and are prepared to see our goal realized. One of the key elements we added was opening the new centers in Dublin and Tokyo, and we have plans to add more centers soon. In addition, the new portal, which may be the most significant change, is now a home to display the day to day workings of the team, as well as be a place everyone can visit to see what we uncovered and track.

Check it out! www.microsoft.com/security/portal

On a more important note, our detection numbers are continuing upwards. I know this is a subject of ongoing interest for many, and we continue to push the team hard in this area because in the end it will be the most visible measure of our success.

We just once again had the OneCare product ICSA and West Coast Labs certified AND Forefront is now WestCoast Labs certified and is in the process of being ICSA certified as well. We feel very confident that we’ll achieve the VB100 Award, for both products as well when the results are published in June, by Virus Bulletin. This to me will exemplify the work we’ve been focusing on and continue to do so.

And finally, we established some key areas and defined a set of benchmarks imperative for us to achieve world class response credibility. This, of course, is the essential element given today’s targeted attacks are more advanced than ever before.

We’ve applied the basic principles our partners, that come before us have to provide world class response to customer queries (including automated responses and queue processing to customer submissions and of course analysts globally to respond regionally) and we have the added element that is unique to MS, which is the insight into the more than 400 million Windows users worldwide.

These customers have consistently asked us to provide support to the ever growing threat of viruses, worms, Trojans and unwanted programs that plague their environments today.

I’d ask that you continue to check back as we provide updates straight from the labs as well as from those watching and monitoring our success. Just this past week we released a new volume of our Security Intelligence Report. The report outlines the trends that we have observed in the malicious software and potentially unwanted software landscapes over the last six months (http://go.microsoft.com/fwlink/?LinkID=88436&clcid=0x409).

We have a lot more in store and a lot more that we can be counted on to deliver.

Thanks,

Vinny Gullotto

Hello world

blogmalware — Fri, 16 Mar 2007 04:36:00 GMT

printf(“hello world\n”);

This is Jimmy Kuo of the Microsoft Security Research & Response team (MSRR). (What a wonderful thing to say and see written down.).

Recently, there have been some tests that have brought into question the detection capability of Windows Live OneCare. Customers and partners have asked us to address these concerns and because the detection capability in Windows Live OneCare is the responsibility of the MSRR team I’d like to address those concerns. (Addendum: The OneCare team has just posted their comments on this issue on their blog at http://windowsonecare.spaces.live.com/ )

When we think about priorities we put our customers first and in doing that we ask ourselves, “What do our clients want? What do they need?”

In my years in this business, the answer to the first question is some form of, “I want to be able to sleep soundly each night knowing that when I wake up, my world hasn’t fallen apart. And if something does happen, I can rely on my vendor to easily resolve it for me.” To that end customers using Windows Live OneCare are supported by Customer Support and Service and the MSRR team. Through those two channels they have the support structure needed to address any service request that comes to us at any hour of the day from anywhere in the world.

What our clients “need” is for us to identify what things are important and be sure to address them before they become an issue for our users. This is why MSRR is focused on adding detections for the most prevalent and active malware in the wild and we do that by combining our breadth of data with experienced malware researchers and automated analysis techniques to rapidly respond to the threats that will have the greatest impact to our customers. To that end, while the recent detection numbers were not stellar, we look to ICSA Labs (www.icsalabs.com), West Coast Labs (www.westcoastlabs.org), and Virus Bulletin (www.virusbtn.com) to make sure we are covering what is most important. ICSA Labs and West Coast Labs are certification bodies (ICSA Labs in the United States, West Coast Labs in Europe). Virus Bulletin is the industry rag, but they have the most highly respected and longest running tests, and in so doing, set many of the industry’s testing standards. We will keep on working with these certification bodies to maintain our certifications, and to acquire the VB100 Award each time we are tested by Virus Bulletin. We missed capturing a VB100 in the last test because we missed one virus. So, as a result we have adopted new methodologies to remedy that. The methodology we adopted is to look more closely at families of viruses that have been found to be “in the wild” (ITW) (found actively spreading among users). This means someone working off the same code base is actively spreading the malware of this family, and thus more of the same family will likely become ITW in the future. And we want to be able to detect them with signatures we write today rather than after they’ve been loosed upon the public.

Furthering on the previous concept, we look to many other feeds that tell us similar things. The MSRT (Windows Malicious Software Removal Tool) is one that can tell us which families are more active so we can anticipate more of those future variants.

That still leaves many samples of malware that the recent tests showed that we still do not detect. As I noted, there is data that can tell us which, if any, of that set is truly important (those actively being spread ITW) and those are added ASAP. The rest are being worked on and as promised, our numbers will get better and better. Because, another thing that I know that our clients want, especially the system admins who use our product, is, “I want you to keep my boss off my back so I can have time to do my job!” And even if the company networks are running smoothly, the boss will see those test results, and bug the admins about them. So it’s also about making sure our customers *feel* better protected when using our products.

So while we concentrate on what’s truly important (malware actively being spread ITW), we will also be bringing up these other test detection numbers. You will see our results gradually and steadily increase until they are on par with the other majors in this arena. And soon after, they will need to catch up to us!

Vinny Gullotto, General Manager of Microsoft Security Response and Research, tells me that he’ll be following up on this post within the next week and talk about some of the additional steps we are taking to continue growing our world class research and response team. He and I are both accustomed to working in, and building, world class response teams and know that Microsoft is committed to creating one that serves our customers, works with the anti-malware community, and supports the eco-system as a whole.

Hopefully, I’ve provided some insight into the workings of how we are prioritizing and focusing on the work we do to support our users, presently and in the future. We know that we are in a service industry. We’re ramping up to be able to handle that and Microsoft is making sure our customers are in good hands by hiring some of the best and brightest in the antivirus industry. For our current users, we have certification bodies that make sure we are doing what’s necessary and important. And we have other monitors to determine what’s spreading and thus are confident that we can protect our users against anything they might encounter in real life. And we will bring our numbers up as we know our customers want that to feel better protected, and, well, to get our bosses off our backs. J

Virus Bulletin 2006

blogmalware — Tue, 31 Oct 2006 00:02:00 GMT

A contingent from our antimalware team attended the Virus Bulletin conference in Montreal, Canada two weeks ago- 12 of us in all. Matt Braverman and I were both presenters and I also moderated a panel discussing progress made by the Anti-Spyware Coalition.

My paper entitled "I Know What You Did Last Logon" was a look into monitoring software from the perspective of privacy and the boundaries of appropriate versus inappropriate use for such technology. I examined this from several angles including a discussion of several court cases that illustrate both sides of the discussion. I also drilled into several pieces of malware for a more detailed discussion of the technical methods employed by monitoring software.

Matt's paper, entitled "Behavioral Modeling of Social Engineering-Based Malicious Software" focuses on malware that leverages social engineering to infect a computer. It reviews techniques used both in the past and present and uses up-to-date data from the MSRT to differentiate those social engineering techniques which have been particularly successful. For example, we've found that using "generic conversation" techniques in an email seems to be one of the most effective ways to attract a user to executing an attachment to that email. Such techniques usually leverage short email subjects and bodies (e.g. "Here is that document you asked for") to try and replicate conversations that may have occurred "in real life" between the email recipient and the sender which the email may spoof.

Copies of both papers are now available through the download center, let us know what you think.

-- Jeff Williams
Security Research & Response

Security Intelligence Report

blogmalware — Fri, 27 Oct 2006 04:11:00 GMT

This week at RSA Europe in Nice, France we released a report detailing the security landscape for the first half of 2006. The report lays out details collected through our various antimalware technologies. The report highlights a number of trends such as a reduction in the number of rootkits and trojans detected by the Malicious Software Removal Tool (MSRT) compared to the second half of 2005, social engineering as a popular and successful method of malware distribution, the frequency that specific potentially unwanted software is kept or removed and specific locales which have the highest instance of infection.

Some of the key points we think our readers will be interested in are:

Threats against consumers and businesses are continuing to become more targeted and motivated by financial gain, with backdoor Trojans and bots continuing to comprise a significant percentage of the malicious software detected by Microsoft anti-malware offerings;
Social engineering continues to be a popular means of spreading malware, especially when sent over e-mail and peer-to-peer (P2P) networks;
Rootkits are likely to continue to be popular for targeted, stealth intrusions.

The data used to identify these trends comes primarily from the Malicious Software Removal Tool and Windows Defender as well as Windows Live OneCare, Windows Live One Care safety scanner, and Microsoft Exchange Hosted Filtering. In the six months covered by the report these tools cleaned nearly 27 million pieces of malware or potentially unwanted software and blocked hundreds of millions of infected email messages.

Based on the data we analyzed and trends observed we also make specific recommendations for how you can better protect the systems that you manage.

You can find the full report here. We welcome your feedback.

Matt Braverman, Jeff Williams & Ziv Mador