Microsoft Malware Protection Center

Threat Research & Response Blog

May, 2009

  • MSRT and an Update of Worms in the Wild

    On April 14th, Microsoft released the latest update to the Microsoft Malicious Software Removal Tool . This month as you know from Scott Molenkamp’s blog post , we added Win32/Waledac . In fact, of the top 5 families, worms make up 3 of the slots: Win32/Taterf , Win32/Frethog , and Win32/Koobface . Family Name Report Count Taterf 1,166,975 Frethog 390,967 Alureon 328,554 Koobface 142,164 Cutwail 134...
  • Closing In on Open Relay Mail Servers

    About four months ago some new colleagues in the security business arrived in our Dublin office. They are part of Microsoft Anti-spam team and it is our pleasure to have them here :) The Dublin Spam team recently told us that almost every week, Microsoft Forefront Online Security for Exchange is filtering a whopping 13 billion spam messages. Most of them (around 95%) are automatically blocked because they are sent from computers listed in blacklists. Date Total number of...
  • Where is Waledac - Episode II

    The Spambot Whilst Win32/Waledac is probably best known for the ability to send spam, it can also download and execute arbitrary files. In addition to using this downloading mechanism to update itself, Waledac can also download other malware. The MMPC has observed the download of Trojan:Win32/FakeSpypro and TrojanDownloader:Win32/Rugzip variants. Downloading and executing arbitrary files is not confined to malicious software. Waledac also attempts to download and install a version of the freely...
  • MSRT Tackles Another Rogue

    This month’s addition to the Malicious Software Removal Tool (MSRT) is a rogue security program called Trojan:Win32/Winwebsec . In most ways Winwebsec is virtually the same as most other rogues. It is often distributed through fake online scanner web pages that have a very familiar look to anyone who has spent any time looking at rogues: This web page is virtually identical to those used by other rogues like Trojan:Win32/FakeXPA and Trojan:Win32/WinSpywareProtect . It can’t actually scan...
  • Recession, Music, and Wimad

    Nowadays almost everyone is affected by the recession in one way or another. More and more people try to save money. Instead of buying licensed songs in CD form or from reputable online services, some people prefer to download songs via P2P or do a direct download from untrusted sites. This is a popular way of getting music files for free. Wimad is a malware family that is known for using music files as its medium for distribution. It is a detection for malicious Windows media files that encourage...
  • 860,000 Computers Cleaned from Password Stealer Infections in One Week

    This month’s MSRT shows the following top ten most prevalent threat families as of May 19. The newly added and blogged rogue family, Win32/Winwebsec , is ranked at #17 with 34,792 infected machines. Family Most Significant Category Detections Infected Machines Ranking change Win32/Taterf Worms 347,424 343,515 = Win32/Alureon Miscellaneous Trojans 256,998 248,341 + Win32/Frethog ...
  • Gamburl Gone Wild

    We’re seeing plenty of reports for a JavaScript redirector malware family that we call Gamburl; previous reports have called it Gumblar or Redir. These attacks seem to be coming from legitimate Web sites with pages that have been modified to contain this malicious script. So even if you’re visiting a Web site that you trust, there’s still the possibility that you may be a victim of these so-called “drive-by attacks”. When a user visits a site containing a Gamburl script, the browser will be...
  • Radio-Frequency Identification devices, is infection a reality? (Part 1)

    Most people would be aware that biological viruses can be airborne, and can spread in this manner. For instance a common flu virus is able to survive in a fine mist of water droplets suspended in mid air until it lands on the next host. Luckily, not all viruses are created the same - some can't "fly", some "fly" but can't "land", some land but can't reattach themselves to a host. Interestingly enough the same analogy persists in the realm of computer viruses. Would my computer or a smart device...