Microsoft Malware Protection Center

Threat Research & Response Blog

May, 2013

  • Windows 8 and Keygens

    ​As we first reported in the Microsoft Security Report Volume 13 , Keygens have become the number one threat reported by users of Microsoft antimalware products. The research also indicates that 76 percent of users that downloaded Keygen or software cracks were also exposed to other, more dangerous malware. Keygens are typically not very dangerous on their own. However, malware authors are having great success using deceptive downloads that either pretend to be Keygens or contain them as well...
  • New whitepaper: Evaluating Microsoft's protection performance and capabilities

    In order to evaluate the performance of their protection provider, customers need to rely on information that goes beyond what external certifications and comparative tests can provide. Today we’re releasing a whitepaper, called " Evaluating Microsoft’s protection performance and capabilities ," that we believe will help customers with these evaluations. The whitepaper describes the measurements we use to track our effectiveness across quality, customer experience, and protection coverage...
  • Browser extension hijacks Facebook profiles

    We have received reports about a wave of malicious browser extensions trying to hijack Facebook profiles. This threat was first discovered in Brazil. We detect it as Trojan:JS/Febipos.A . The malware is a malicious browser extension specifically targeting Chrome and Mozilla Firefox. When installed, it attempts to update itself using the following URLs: Chrome browser: du-pont.info/updates/<removed>/BL-chromebrasil.crx Mozilla Firefox browser: du-pont.info/updates/<removed>...
  • Meet the new paid-archive malware families

    In a previous post, " Fake apps: Behind the effective social strategy of fraudulent paid-archives ," we exposed the social engineering technique behind Win32/Pameseg - our detection for a family of "paid-archives." We described the use of "low-ball" techniques and explained how users are led to believe they are making an informed choice. However, the choice ultimately leads to the user being deceived into doing what the attacker wants - downloading and executing an installer. The scheme begins...
  • CVE-2012-1876: Recent update to the Cool Exploit Kit landing page

    A recently debuted exploit kit (EK), called "Cool EK," and detected by us with the name Exploit:JS/Coolex , has been known to include various exploits targeting Oracle JRE, Adobe Reader, Adobe Flash Player to Windows kernel-mode drivers. If you’re unlucky enough to visit a webpage that hosts Cool EK, you might encounter all these exploits in the one place, turned against you in a barrage designed to compromise your computer. Recently there was an update to the kit’s armaments to include...
  • Updated data shows prevalence of Java malware in 2012

    Recently we released the Microsoft Security Intelligence Report volume 14. The report initially presented data showing reduced Java malware detections in Q3 2012 and gaining prevalence in Q4 of 2012. During a later review of the backend data, we found that we were missing some detection counts from our initial calculations. We have revised the data, and Figure 1 shows the updated graph. Figure 1 Machine count of detections for each exploit categories From Figure 1, what we can see...
  • No paysafecard needed, your passwords will pay off

    The past year has been one of expansion for ransomware. Throughout 2012 an increasing number of blogs, tutorials and discussion forums were written to help people gain access to ransomware-locked computers without paying the ransom. The authors of Reveton ransomware are aware that the persistence of their malware on a system is not only narrowed by an antivirus product, but also the computer user who tries to remove the threat. Not every infection is going to result in a paid ransom, so the Reveton...
  • Don't pay the rogue, scan with MSRT

    ​We added three new families to this month’s Malicious Software Removal Tool (MSRT): Win32/FakeDef , Win32/Vicenor , and Win32/Kexqoud. In this blog, we will talk about the rogue antivirus family Win32/FakeDef. It’s not a big player in rogues’ world, but it holds its own unique characteristics. We found this family in the wild in December 2012. Initially it was pushed to a victim's machine by Win32/Fareit variants. This means machines where Win32/FakeDef is found may also be...
  • How easily USteal my passwords

    Bundling malware and legitimate software on unofficial download websites is an effective way of tricking users into running malicious files. We often see keygens, hacktools and game trainers bundled with trojans and posted on forums or as comments under videos. I recently analyzed a file that claimed to be a game tool used for customizing Dota2, a multiplayer online battle arena video game developed by Valve Corporation. The tool was made by a third party and offered for free download online....
  • The Wonder of Sirefef Plunder

    Sirefef , also known as ZeroAccess, is a malware platform for receiving and running malware modules. Two prominent modules generate revenue for the cyber criminals, by mining for bitcoins and perpetrating click-fraud. Click-fraud is the deliberate misappropriation of ad revenue by generating online clicks that don’t originate from a potential customer or the rightful publisher. Click-fraud is lucrative and a relatively easy way for cyber criminals to monetize their malware and/or launder...