Microsoft Malware Protection Center

Threat Research & Response Blog

April, 2009

  • Yes, SIR, More Rogues!

    As Vinny mentioned in his post , the data in our recently released Microsoft Security Intelligence Report (SIR) clearly shows what we've been seeing in our day-to-day research over the last six months or so - rogue security software is getting more prevalent. As well as the raw data, the SIR includes some of our research into how rogues evolved over the second half of 2008. In addition to becoming more widespread, we saw rogues get more sophisticated and aggressive. There were two families that...
  • Win32/Conficker Variants Update

    There have been new developments in the Conficker arena within the past couple of days. We would like to inform those who are concerned that the MMPC is working to make sure you have the information you need, first to be protected from any threat; and second, to provide you with a full understanding of the threat itself. There have been primarily two new binaries reported. We are pleased to inform that Microsoft products such as Windows Live OneCare, Windows Live OneCare safety scanner, and the...
  • Cashing in on Conficker's Bad Name

    Over the last couple of days we've seen some spam claiming to be from Microsoft, providing a free scan to remove Conficker . Here's an example: The link actually takes you to a typical fake online scanner page used to serve up a rogue security scanner: In this case the page tries to get you to download TrojanDownloader:Win32/Renos.HL which in turn installs the rogue Trojan:Win32/WinSpywareProtect . You can read tips on how to recognize and avoid fraudulent e-mail. --Hamish O'Dea
  • Who's at Risk on the Internet Today? We All Are. Act Accordingly…

    Here at the Microsoft Malware Protection Center (MMPC) we look for ways to share the valuable data, insights and expertise that we have with our customers on a regular basis. We just released the sixth volume of our Microsoft Security Intelligence Report (SIR). The SIR shares the conclusions drawn by our research team using data gathered from hundreds of millions of computers worldwide and some of the busiest services on the internet. A very clear trend we saw in the second half of 2008 was the...
  • Birthday Problem and Conficker

    Hide behind huge numbers, making fighting against very expensive Birthday problem or paradox is the probability that, from a given set of people, two of them will have the same birthday. It is a paradox because the result defies common sense. For a group of 23 people, the chance that two of them share the same birthday is greater than 50%, and for a group of 57 people, it is higher than 99%. The best known use of Birthday Problem paradox is probably the Cryptographic Attack known as the Birthday...
  • A Few Quiet Days… and a New Exploit of MS08-067 Has Been Identified

    April 1st is behind us and nothing really happened with Conficker . But it is never boring in the antimalware world. We have found a new exploit of MS08-067 other than Conficker. We also discovered that we already detected and protected users against this new malware. We added information about mitigations against this malware at the end of this blog post. Neeris is a worm that has been active for a few years. Some of its variants used to exploit MS06-040 which addressed a vulnerability in the...
  • New 0-day Exploits Using PowerPoint Files

    The Microsoft Security Response Center has released Advisory 969136 today about a vulnerability in Microsoft Office PowerPoint which is being exploited in the wild. Office 2000, Office XP, Office 2003 and Mac Office are vulnerable however the latest version, Office 2007, is not. The Microsoft SRD blog provides more details about the how to protect your environment from the vulnerability. So far we’re aware of several distinct exploit files which have been used. They all seem to be used only in...
  • Win32/Koobface, MSRT and Industry Cooperation

    On March 10 we released an update to the Malicious Software Removal Tool to add targeting of the Win32/Koobface family. The addition of this threat came out of discussions with the security team at Facebook but this is not the first time we have added a family of malicious software to MSRT on request. We regularly work with CERTs, government agencies, ISPs and companies on threats as part of our outreach activities. Win32/Koobface falls in as the sixth most common threat removed by MSRT this month...