Microsoft Malware Protection Center

Threat Research & Response Blog

December, 2013

  • Be a real security pro - Keep your private keys private

    One of the many unusual characteristics of the Stuxnet malware that was discovered in 2010 was that its files were distributed with a valid digital signature, created using authentication credentials that belonged to two unrelated legitimate software companies. Normally the signature would verify that the program was issued by the company listed in the signing certificate, and that the contents of the program had not been tampered with since it was signed. By using other companies’ authentication...
  • Rotbrow: the Sefnit distributor

    This month's addition to the Microsoft Malicious Software Removal Tool is a family that is both old and new. Win32/Rotbrow existed as far back as 2011, but the first time we saw it used for malicious purposes was only in the past few months. In September, Geoff blogged about the dramatic resurgence of Win32/Sefnit (aka Mevade). At the time, we knew of several ways in which Sefnit was distributed, but we continued investigating how it was able to get on so many machines. When we concentrated on...
  • Turkey: Understanding high malware encounter rates in SIRv15

    In our most recent version of the Security Intelligence Report (SIRv15) , we compared the encounter rates of malware categories for the top 10 countries with computers reporting the most detections in 2Q13. Amongst these countries, Turkey stood out with considerably high encounter rates in multiple categories. Encounter rate is the percentage of computers in a country that reported at least one detection of malware. Figure 1. Threat category prevalence worldwide and in the 10 locations with...
  • Protection metrics – November results

    In our October results , we talked about a trio of families related to Win32/Sefnit . Our November results showed progress against Sefnit and the installers and downloaders of Sefnit ( Win32/Rotbrow and Win32/Brantall ). In comparison to September, active Sefnit infections have been reduced by 82 percent. As with prior months, our rate of incorrect detections also remained low and performance stayed consistent. (If you want a refresh on the definition of the metrics we use in our monthly results...