This month, we added Win32/Tracur and Win32/Dursg, two of the most prevalent pieces of malware belonging to the category of 'web redirectors', to our Malicious Software Removal Tool (MSRT). After just over two weeks in release, we have early numbers on our success in detecting and removing these twinned threats. In terms of functionality, Win32/Tracur is a backdoor trojan with the capability to redirect web search queries. It is worth mentioning that about 99% of Win32/Tracur samples we have seen...

I'm very excited to announce that today, the MMPC is opening a new research and response lab in Munich, Germany! Why Munich? Well, this central location in Europe enables the MMPC to be more agile in responding to threats across Europe, the Middle East, and Africa. The new lab complements the existing European antimalware lab in Dublin, Ireland. Both of these labs will be led by 20-year veteran antimalware researcher Katrin Totcheva. Katrin is here with me, in Munich, for the opening of the...

The recent emergence of rogue security software applications for Mac demonstrates how cybercriminals effectively use social engineering techniques to manipulate users’ responses - specifically, exploiting user’s fear of revealing sensitive information such as credit card details. This scare tactic evidently works regardless of the platform.  While financial gain is primarily the motivation that drives elaborate schemes of Internet fraud, a threat that appears limited and specific to its target...

Nowadays, when people want to download software, they usually search for it using a search engine that leads them to a download site. But some software on these sites may be harmful. In China, more and more software package authors are using these download sites in a malicious way in order to make money. They add other unwanted software into the normal software package – this is called a "repack". Some time ago, one of our customers intended to download a web browser but instead downloaded...

Late last week, the MMPC officially launched its Facebook page and its Twitter account . From this Welcome page, you can read our latest blog posts, see our latest Twitter feeds, and find out what threats most affect your desktop. You can also download the latest Security Intelligence Report (SIR), which contains a wealth of information on the current threat landscape. We have great plans ahead for our Facebook page - this launch is only the start! So Like us , Follow us , and stay tuned...

The Malicious Software Removal Tool (MSRT) targets two prevalent families in this July 2011 release, Win32/Tracur and Win32/Dursg . Both families share common functionality that monitors user web search queries and redirects to a malicious URL to display advertisements or download more malware. It affects users of web browsers such as Internet Explorer , Firefox , Opera and Chrome . For instance, Win32/Tracur installs a browser helper object, or BHO, for IE to monitor web search queries. It also...

Would you like to know more about the MMPC, and how we protect computer users worldwide? We have released new versions of two whitepapers which describe how the MMPC operates, and provide an introduction to the antimalware technologies that the MMPC supports. The two new papers are: - Malware Research and Response at Microsoft : This paper discusses the evolving nature of malware and introduces the team of antimalware researchers in the Microsoft Malware Protection Center (MMPC), which helps keep...

In an effort to continue raising awareness about the Rustock botnet that was successfully taken down on March 16th, the Microsoft Digital Crimes Unit (DCU), the Microsoft Malware Protection Center (MMPC) and Trustworthy Computing released a new Special Edition Security Intelligence Report (SIR) today titled " Battling the Rustock Threat ". Our telemetry indicates that the bot network is now less than half the size it was prior to being taken offline. However, although our global detection results...

On June 14, Adobe released updates and a security bulletin (APSB11-18) referencing attacks affecting Adobe Flash Player (versions 10.3.181.23 and earlier). These attacks have been observed as hosted on webpages containing malformed SWF files. We spent some time analyzing this Flash Player vulnerability (described in CVE-2011-2110 ) and are providing some technical details of this in-the-wild exploit. The Shellcode The following steps describe how the SWF constructs the shellcode: The SWF downloads...