Microsoft Malware Protection Center

Threat Research & Response Blog

April, 2009

  • Protecting Our Customers From Half a Million New Unique Malicious Files Every Day

    You might find it hard to believe, but that’s the number of new unique malware samples we detect on average every day in the wild. During the second half of 2008 our products detected a total of nearly 95 million unique malicious files. The total number of distinct malware files we detect every day in the wild is even higher: 841 thousand unique files (that’s the daily average over 2H08) however malware is often detected during consecutive days or even longer. Half a million is the daily average...
  • Windows Addresses the Changing AutoRun Threat Environment

    AutoRun is the ability for a device, through the use of autorun.inf, to expose a set of tasks for the user to choose upon insertion of new media into the computer. This could be a USB drive, a CD or DVD, a network drive, or any other additions of new media. The user is shown the AutoRun tasks along with other functions via the AutoPlay dialog. About a decade ago, diskette use started to wane. Machines began to not include diskette drives anymore. And diskette viruses were effectively removed from...
  • DOTA Players...0wn3d?!?

    --Rdy all? --Mode -AP --Starting in 5 --4 --3 --2 --1 This is the typical scene in DOTA before a game starts. DOTA (Defense of the Ancients) is a very popular custom- made scenario map for Warcraft III. Popular enough that there is even a hit song named after it. DOTA is usually played online with two teams against each other with at most five players on each side. Each player selects from a range of heroes with unique skills. The goal of the game is to destroy the opponent's base. Even...
  • Vundo Employs Worm Behavior

    Vundo is a malware family that doesn't need any introduction. It was one of the families added into the MSRT and remains in the top 10 detections every month. It is commonly reported as a nuisance due to the incessant popups that it delivers to the user desktop--mostly related to rogue programs; slowing down the user's internet connection considerably. Vundo is well known for its resistance to removal by most anti-virus products. One of the methods it uses is hooking the Appinit_Dlls, or LoadAppInit_DLLs...
  • Malware Distribution Across Operating Systems

    Depending on your background, you may find different sections of the newly published Microsoft Security Intelligence Report (SIR) to be of more interest. In today’s post, we would like to highlight the section on infection rates based on the operating system (OS) version and the service pack level. Microsoft has consistently observed that machines with newer OS and with more recent service packs are less likely to be infected by malware. The graph below shows the number of computers having malware...
  • MSRT and MMPC in 2H08 – Microsoft Security Intelligence Report

    The MSRT added the following threat families in 2H08. Rogues and botnet malware were the focus during the six months. New Family Note Added in Computers Cleaned by the MSRT in 2H08 Win32/Horst CAPTCHA breaking threat July 235,318 Win32/Matcash Downloader August 217,610 Win32/Slenfbot IRC bot September 598,178 Win32/Rustock Rootkit spam bot October 183,858...
  • Threats at Home and at Work

    It’s pretty obvious that people often behave differently at home and at work. Microsoft has found that malware and potentially unwanted software are encountered differently and act differently in the two environments. The following graph shows the difference between the categories of threats encountered by Windows Live OneCare users, which is for home use, and Forefront Client Security, which is designed to be managed at work. At work, computers are more likely to encounter self-replicating threats...
  • An Introduction to MMPC's Paladin (Automated Vulnerability Analysis)

    Paladin describes a set of internal tools that automate the steps a researcher would take to understand how a given exploit takes advantage of a given vulnerability. As of today, these tools are not for public consumption. These tools take as input a vulnerable program and an exploit. The tools run the exploit against the vulnerable program and generate an output a file. This output file characterizes how the exploit puts the vulnerable program into a malicious state. A vulnerable program is...
  • Where's Waledac?

    The family added to the April MSRT release is Win32/Waledac . If you haven't heard of the family before, there is a chance you may have seen some of the spam generated by Win32/Waledac in your inbox. We've blogged about some of the spam campaigns in the past, such as Fake Obama or the Valentine Devkit . The most recent spam campaign uses a fake “Reuters Terror Attack” themed lure. Reuters Terror Attack: Win32/Waledac is a complex spam bot. It also has the ability to download and execute arbitrary...
  • Did You Say Malware? Where?

    Customers often look for information about malware that may affect them. For the last couple of years, we have shown that malware doesn’t spread evenly across the globe, despite the global nature of the Internet. Threats that rely on social engineering, are not equally effective in different parts of the world due to language barriers or cultural factors. Also sometimes the malware spreads using exploits in applications which also are unevenly distributed around the world. The Microsoft Security...