Whilst working on our normal data pull and analysis for the Microsoft Security Intelligence Report ( v9 - released last week ), I embarked on a mini discovery mission on the exploit data that MMPC detects with our antimalware technology. Although the main focus of antimalware software is on traditional malware families, antimalware technologies can do a good job when it comes to file exploits that require a lot of parsing, such as exploit-laden movies, documents, and ... Java. What I discovered...

This month, the MSRT team has added detection and removal for Zbot , one of the most widely known active botnets today. Although the malware itself is quite complex and varied, the technical acumen required to use and distribute it is actually quite low. Toolkits to create the malware are easily attainable and quite simple to use as the following screenshot shows. Underground forums are teeming with questions ranging from the very basics about configuring the malware to people boasting about...

Today, the 9th edition of the Microsoft Security Intelligence Report was released as Adrienne Hall, General Manager of Microsoft Trustworthy Computing Communications, gave her keynote at RSA Europe.   This time around, we've done a few things differently.  First off - we've dedicated this particular volume to the study of botnets and the role that they play in the malware world.  You'll find a historical anthology of how botnets came to be along with modern-day examples, including...

As those who follow our blog already know, we added Win32/Zbot to MSRT this month.  This is a complex threat with techniques employed to make removal by AV challenging and which necessitated advances in the technology we use.  The threat is aimed at theft of credentials (often financial) and, according to the FBI , part of a major theft ring which, as the result of cooperation between law enforcement in several countries, led to numerous arrests this month. Since the release of MSRT on...

The latest Microsoft Security Intelligence Report (SIR) dedicates a whole section to botnets and the role they play in today's world of malware, and for good reason - the pathways of the malware world are quickly merging into a botnet superhighway, a new conduit used for many nefarious purposes. If you compare the worldwide infection rate of computers cleaned per thousand ( CCM ) as detailed in the botnet section of SIR v9 with the general malware CCM, an interesting picture emerges.  By Q2...

If you play Halo, you probably know that the Recon Armor is a rare armor variant that is only available to the makers of Halo, Bungie, and players who have unlocked all Vidmaster challenges in previous versions of the game. With the recent release of Halo: Reach, a lot of users are looking for free means to get hold of this armor for their game play. Apparently, malware writers also took notice of this opportunity to distribute malware masking as code generators for the flaming recon helmet and Halo...

When people in the industry talk about intentional obfuscation using virtual machines, (note that these are not the same virtual machines as Virtual PC or VMware, but rather it's a technical term that was in use long before these products came into existence), the two examples that are most likely to come to mind are VMProtect and Themida.  Both of them have been around since about 2004, only six years ago.   I'm trying to choose my terms carefully here, because by their nature, virtual...

At the recent Virus Bulletin 2010 Conference in Vancouver, BC, I made a presentation highlighting infection data collected from the Malicious Software Removal Tool and data collected from Microsoft Security Essentials in its first year. The presentation (coincidentally on the Security Essentials one year anniversary ), entitled " Observations and lessons learned from comparing point-in-time cleaning against real-time protection ", showed the MSRT as a baseline removal tool to keep the ecosystem clean...

Yesterday (Oct 26, 2010), MMPC researchers learned that the Nobel Peace Prize website " nobelprize.org " was hacked and users browsing the site using Firefox versions 3.5 and 3.6 may have received malware. The malware is delivered by way of a malicious JavaScript that exploits a vulnerability in Firefox. Mozilla is aware of the vulnerability and note that an update of the browser is pending. Microsoft provides protection against the malicious JavaScript as " Exploit:JS/Belmoo "...

Earlier this week (October 25), authorities in the Netherlands took action against one of the Win32/Bredolab botnets and person(s) who may be responsible for this threat as part of an investigation codenamed TOLLING- part of a larger project named TAURUS. This follows on the heels of similar efforts against Win32/Zbot by the Federal Bureau of Investigation’s Operation “Trident Breach” in partnership with international law enforcement agencies, operations in Spain and Slovenia against the Win32/Rimecud...