Microsoft Malware Protection Center

Threat Research & Response Blog

September, 2010

  • One Year of Microsoft Security Essentials

    It’s been a busy year for Microsoft Security Essentials . As we observed right after the first week of release, Microsoft Security Essentials had already detected threats on over half a million computers. As Microsoft Security Essentials enters into its second year with over 31 million installations, 27 million of those computers have reported infections to the Microsoft Malware Protection Center (MMPC). As indicated by the chart below, the country with the most installations is the United...
  • Brazilian 'Banker' caught Red-handed

    A bit of research goes a long way as we’re going to prove in this blog post. Sometimes, as we'll see with TrojanDownloader:Win32/Camec.A , a little investigation reveals that a seemingly ordinary malware is in fact an exotic bird. The other day, we were analyzing what we thought was a run-of-the-mill trojan written in Visual Basic. Usually these are a dime a dozen since every script kiddie and Internet crook wannabe can get around copy and pasting pieces of code from the web to create a malicious...
  • The Malware, the SMS, and the Money

    A threat we call Trojan:MSIL/Fakeinstaller.A has been making the rounds lately. It is a slight deviation from the family of malware threats known as Trojan:Win32/Ransom . The malware is similar to Trojan:Win32/Ransom , which seizes control of the computer by locking the user's screen and then demanding a passcode from the user. The user receives the passcode only after sending an SMS to a premium number. This particular sample of Trojan:MSIL/Fakeinstaller.A (SHA1: 5a888391750c0efefe9dfc7dd63ed5b78f603ef9...
  • Hold on to your keys!

    There have been a few recent incidents of what we previously thought was extremely rare - malware authors using code signing certificates that were issued to companies with good reputations. The high-profile Stuxnet incident included validly signed malware with misappropriated Authenticode certificates from two Taiwanese companies. More recently, it appears a US credit union lost its private key to malware authors who used it to sign some variants of Trojan:Win32/Tapaoux.A as well. It's still...
  • MSRT sets its sights on FakeCog

    For this month, we added the Win32/FakeCog family to the Malicious Software Removal Tool (MSRT) release. FakeCog is another family of rogue applications that employ dubious methods to convince an unsuspecting user to install and buy their software. It tries to protect itself with code obfuscation and anti-emulation techniques to evade detection by security products. Some of the recent brand names that FakeCog has been known to use are "Defense Center", "Anvi Antivirus", "Protection Center" and...
  • Malware Plays Starcraft 2

    Starcraft 2 is gaining popularity not only for gamers but also for malware writers. We wrote about Starcraft almost two months ago when it was first released. Now, apparently, it is also being used as part of a social engineering technique by a downloader family called Harnig. Harnig is employed by many other types of prevalent threats ( Bubnix , FakeSpypro , Koobface ) to download their malware into computers. We’ve seen a Harnig sample that is using the new release of Starcraft 2: Wings of...
  • Update on the "Here you have" worm (Visal.B)

    We have some updated information for you regarding Worm:Win32/Visal.B , known as the "Here you have" worm (with a SHA1, a unique identifier for the threat, of 0x0BA8387FAAF158379712F453A16596D2D1C9CFDC) that we also blogged about yesterday. First, let us remind you of the two methods originally used by the worm to spread itself: It mass-emailed a link that pointed to malware, and it copies itself to local drives and network shares. The mass mailer takes advantage not only of local address lists...
  • Emerging Malware Issue: Visal.B

    Worm:Win32/Visal.B is a new worm, written in Visual Basic, that is currently propagating in part using social-engineering. We strongly encourage customers to be cautious about clicking suspicious or even simply unexpected links in email, even if it’s sent by someone you know. Getting infected by Visal.B is an example of what happens if you aren’t careful. The threat has a timestamp of 9/3/2010 and spreads using two techniques: mass emailing, and copying itself to local drives (C: and...
  • An Update on Operation b49 and Waledac

    Those of you who read an earlier post of mine know about Operation b49 , our work to take down the Waledac botnet. For those who don’t, I will summarize by saying that Microsoft’s Digital Crimes Unit, in partnership with Microsoft’s Trustworthy Computing team and the Microsoft Malware Protection Center, undertook a combination of technical measures and previously untried legal techniques to disrupt and control the Waledac botnet. It was apparent from our own and from independent...
  • Rogue:MSIL/Zeven wants a piece of the Microsoft Security Essentials pie

    A new rogue has started making its appearance from compromised websites: Rogue:MSIL/Zeven . We received a sample (70be8ca73142922fd78acf2aafa9f141a977f15a) and a URL and began our investigation. Let us say from the beginning that the guys behind this rogue like to copy big-time . They start by auto-detecting what browser the user is currently using, and then faking the malware warning page if the browser is Internet Explorer, Chrome, or Firefox. This is meant to be a social engineering scheme...