Microsoft Malware Protection Center

Threat Research & Response Blog

Microsoft Malware Protection Center

  • Protection metrics trends – First quarter 2014 results

    ​It's been a few months since our last post on our metrics. I wanted to give you an update on families that are declining, new ones that are moving in, and on the way we're calculating our protection metrics to make them more accurate. Overall, our infection impact (0.29% for January to March) has remained consistently low since December. A few families have declined, but others have moved into their place. Our incorrect detections have stayed under 0.001% and our performance metrics remain...
  • MSRT April 2014 – Ramdo

    This month we added Win32/Ramdo and Win32/Kilim to the Microsoft Malicious Software Removal Tool. In this blog, we will focus on Ramdo and some of what we have since found out about this relatively new trojan family. Ramdo, a click-fraud bot with built-in antisinkhole and antivirtualization code, was first found in the wild in December 2013. Telemetry Compared to other big families, Win32/Ramdo’s impact is relatively small in terms of the number of infected machines. However, when one...
  • Adware: A new approach

    ​Here at the Microsoft Malware Protection Center (MMPC) we understand advertising is part of the modern computing experience. However, we want to give our customers choice and control regarding what happens with their computers. To that end we have recently undergone some changes to both the criteria we use to classify a program as adware and how we remediate it when we find it. This blog will help explain the new criteria and how it affects some programs. Our updated objective criteria also explains...
  • Creating an intelligent “sandbox” for coordinated malware eradication

    ​Hello from China where I am presenting on coordinated malware eradication at the 2014 PC Security Labs Information Security Conference . Coordinated malware eradication was also the topic of my last blog . I said the antimalware ecosystem must begin to work with new types of partners if we are going to move from the current state of uncoordinated malware disruption , to a state of coordinated malware eradication . Since then we’ve been talking about these ideas at conferences around the...
  • MSRT March 2014 – Wysotot

    This month the Microsoft Malicious Software Removal Tool (MSRT) will include the Win32/Wysotot and MSIL/Spacekito families. Below we discuss the history and common behaviors of the Win32/Wysotot family of malware. We first added detection for Win32/Wysotot in October 2013. Figure 1 shows the number of machine encounters since then. Figure 1: Wysotot detections Win32/Wysotot is usually installed by software bundlers. Figure 2 shows some of the programs we have seen downloading Win32/Wysotot...
  • Sefnit’s Tor botnet C&C details

    ​We have talked about the impact that resulted from the Sefnit botnet Tor hazard as well as the clean-up effort that went into that threat. In this post we’d like to introduce some of the details regarding the Tor component’s configuration and its communication with the Tor service. Specifically, we’ll talk about how Trojan:Win32/Sefnit.AT communicates with the Tor network, what domains it tries to contact, and where it keeps its configuration data. After Sefnit installs the...
  • PC health – Part 1: Information stealing malware

    When we were building Windows 8, MMPC partnered with several teams in Microsoft to start the PC Health program. The PC health program has two goals: To inform and guide customers on additional actions to take when malware might have put their information at risk To monitor the health of PCs running our antimalware products and initiate remediation as required We’ll discuss the PC health program in this two-part blog. Part 1 focuses on the first goal: informing and guiding our...
  • Malicious Proxy Auto-Config redirection

    Internet banking credentials are a desired target for cybercriminals. They can be targeted with man-in-the-middle attacks or through password stealing trojans such as Fareit , Zbot or Banker . A less known, yet commonly found in South America and to a lesser extent in Russia, method to gain unauthorized access to a user’s banking credentials is through malicious Proxy Auto-Config (PAC) files. Normally, PAC files offer similar functionality to the hosts file, allowing IP/website redirection...
  • A close look at a targeted attack delivery

    For antimalware products, targeted attacks represent a very interesting class of malware. They are stealthy and only target specific organizations and industries - flying under the radar when it comes to identifying new malware files based on telemetry. The purpose of these attacks is most commonly to steal confidential and sensitive information by means of social engineering and unpatched, vulnerable software. We recently investigated a sample used in this kind of attack, Trojan:Win32/Retefe...
  • The MSRT in Action: Keeping systems safe

    In four days the January release of the Microsoft Malicious Software Removal Tool (MSRT) detected almost a million threats on PCs across the globe. In the video below, Dustin Childs and Joe Faulhaber explain what happened as the MSRT sprang into action.