Microsoft Malware Protection Center

Threat Research & Response Blog

April, 2009

  • New 0-day Exploits Using PowerPoint Files

    The Microsoft Security Response Center has released Advisory 969136 today about a vulnerability in Microsoft Office PowerPoint which is being exploited in the wild. Office 2000, Office XP, Office 2003 and Mac Office are vulnerable however the latest version, Office 2007, is not. The Microsoft SRD blog provides more details about the how to protect your environment from the vulnerability. So far we’re aware of several distinct exploit files which have been used. They all seem to be used only in...
  • Windows Addresses the Changing AutoRun Threat Environment

    AutoRun is the ability for a device, through the use of autorun.inf, to expose a set of tasks for the user to choose upon insertion of new media into the computer. This could be a USB drive, a CD or DVD, a network drive, or any other additions of new media. The user is shown the AutoRun tasks along with other functions via the AutoPlay dialog. About a decade ago, diskette use started to wane. Machines began to not include diskette drives anymore. And diskette viruses were effectively removed from...
  • Protecting Our Customers From Half a Million New Unique Malicious Files Every Day

    You might find it hard to believe, but that’s the number of new unique malware samples we detect on average every day in the wild. During the second half of 2008 our products detected a total of nearly 95 million unique malicious files. The total number of distinct malware files we detect every day in the wild is even higher: 841 thousand unique files (that’s the daily average over 2H08) however malware is often detected during consecutive days or even longer. Half a million is the daily average...
  • A Few Quiet Days… and a New Exploit of MS08-067 Has Been Identified

    April 1st is behind us and nothing really happened with Conficker . But it is never boring in the antimalware world. We have found a new exploit of MS08-067 other than Conficker. We also discovered that we already detected and protected users against this new malware. We added information about mitigations against this malware at the end of this blog post. Neeris is a worm that has been active for a few years. Some of its variants used to exploit MS06-040 which addressed a vulnerability in the...
  • Birthday Problem and Conficker

    Hide behind huge numbers, making fighting against very expensive Birthday problem or paradox is the probability that, from a given set of people, two of them will have the same birthday. It is a paradox because the result defies common sense. For a group of 23 people, the chance that two of them share the same birthday is greater than 50%, and for a group of 57 people, it is higher than 99%. The best known use of Birthday Problem paradox is probably the Cryptographic Attack known as the Birthday...
  • Win32/Conficker Variants Update

    There have been new developments in the Conficker arena within the past couple of days. We would like to inform those who are concerned that the MMPC is working to make sure you have the information you need, first to be protected from any threat; and second, to provide you with a full understanding of the threat itself. There have been primarily two new binaries reported. We are pleased to inform that Microsoft products such as Windows Live OneCare, Windows Live OneCare safety scanner, and the...
  • Malware Distribution Across Operating Systems

    Depending on your background, you may find different sections of the newly published Microsoft Security Intelligence Report (SIR) to be of more interest. In today’s post, we would like to highlight the section on infection rates based on the operating system (OS) version and the service pack level. Microsoft has consistently observed that machines with newer OS and with more recent service packs are less likely to be infected by malware. The graph below shows the number of computers having malware...
  • Where's Waledac?

    The family added to the April MSRT release is Win32/Waledac . If you haven't heard of the family before, there is a chance you may have seen some of the spam generated by Win32/Waledac in your inbox. We've blogged about some of the spam campaigns in the past, such as Fake Obama or the Valentine Devkit . The most recent spam campaign uses a fake “Reuters Terror Attack” themed lure. Reuters Terror Attack: Win32/Waledac is a complex spam bot. It also has the ability to download and execute arbitrary...
  • Cashing in on Conficker's Bad Name

    Over the last couple of days we've seen some spam claiming to be from Microsoft, providing a free scan to remove Conficker . Here's an example: The link actually takes you to a typical fake online scanner page used to serve up a rogue security scanner: In this case the page tries to get you to download TrojanDownloader:Win32/Renos.HL which in turn installs the rogue Trojan:Win32/WinSpywareProtect . You can read tips on how to recognize and avoid fraudulent e-mail. --Hamish O'Dea
  • Did You Say Malware? Where?

    Customers often look for information about malware that may affect them. For the last couple of years, we have shown that malware doesn’t spread evenly across the globe, despite the global nature of the Internet. Threats that rely on social engineering, are not equally effective in different parts of the world due to language barriers or cultural factors. Also sometimes the malware spreads using exploits in applications which also are unevenly distributed around the world. The Microsoft Security...