Microsoft Malware Protection Center

Threat Research & Response Blog

Browse by Tags

  • Blog Post: Fake Security Software All Up

    In a recent blog posted on 18th November we talked about the significant threat that AV rogues had posed for our users this year. Besides the prevalent rogues covered by the MSRT, the following is a longer list of AV rogues detected by Microsoft AV products such as Microsoft Security Essentials , Forefront...
  • Blog Post: Scanti-ly Clad - Another Rogue Stripped by MSRT

    Anyone who’s seen a system infected by a rogue security program doesn’t need to be told how annoying they can be, as they attempt to scare, threaten, cajole, hector, harangue, pester, aggravate, intimidate, badger, harass and generally nag* the user into paying to register the fake software. And even...
  • Blog Post: SQL Injection - New Approach for Win32/FakeXPA?

    (often known as "Antivirus 2009"). One night while browsing, a message box popped up asking me to do a "security scan". As a researcher, I wouldn't let this pass me by. After going through my opened tabs I narrowed down the culprit to a forum I had open at the time. "View Source" showed a 1x1 pixel...
  • Blog Post: FTC to refund rogue security software victims

    The United States Federal Trade Commission announced that it will begin issuing refunds to 300,000 consumers that were victims of several rogue security software scams such as " Winfixer ", " Drive Cleaner " and " XP Antivirus ". The following is a list of Microsoft antimalware product detection names...
  • Blog Post: MSRT August '11: FakeSysdef

    This month's Malicious Software Removal Tool ( MSRT ) includes Win32/FakeSysdef - one of the most prevalent trojans affecting our support groups over the past few months. We've discussed this threat in previous blogs ( 1 , 2 ), and turn to this excerpt from our encyclopedia for some more detail: Win32...
  • Blog Post: Win32/Yektel - the Other Kind of Rogue

    In addition to Win32/FakeXPA we added another rogue-related malware family to MSRT this month - Win32/Yektel . Win32/Yektel is a different kind of rogue. Like other rogues, it displays fake warnings about possibly malware or spyware, but rather than pretending to be a security product itself, it tries...
  • Blog Post: Manufacturing Fear

    We’ve seen some particularly nasty malware recently that has prompted me to think about how people react to scare tactics and fear appeals. The kind of malicious software I’m thinking of in particular here is generally referred to as ‘rogue security software’, and it displays false and misleading messages...
  • Blog Post: Internet Antivirus Pro is "unable" (to detect any real malware)

    This month, MSRT takes on another prevalent rogue family. This one is called Win32/InternetAntivirus and, although it has dabbled with the names General Antivirus and Personal Antivirus* , it is usually easy to recognise by the moniker Internet Antivirus Pro . Win32/InternetAntivirus follows the familiar...
  • Blog Post: Win32/FakeRean and MSRT

    This month we added another rogue to the MSRT family list - Win32/FakeRean . Win32/FakeRean is generally very similar to Win32/InternetAntivirus and Win32/FakeXPA , which we continue to see in large numbers each month. Following the fashion, Win32/FakeRean is distributed as several variants, each with...
  • Blog Post: MSRT Tackles Another Rogue

    This month’s addition to the Malicious Software Removal Tool (MSRT) is a rogue security program called Trojan:Win32/Winwebsec . In most ways Winwebsec is virtually the same as most other rogues. It is often distributed through fake online scanner web pages that have a very familiar look to anyone who...
  • Blog Post: FakeXPA – The Journey Continues

    The big fish is back. Rogue security products have long been targeting Microsoft's Security Center and using other Microsoft imaging or logos to falsely lure users to buy and use their products. We now welcome Symantec, Webroot and Sophos to that esteemed crowd. The new avatar of Win32/FakeXPA (currently...
  • Blog Post: Password Stealers are Top Threats in China and Brazil

    On July 14, the MMPC added another fake security software program (rogue), Win32/FakeSpyPro, to the MSRT release. As of July 29, MSRT removal of FakeSpyPro had been reported from 187,258 machines worldwide. Rogues continue to be disruptive worldwide. Three families (FakeSpyPro, InternetAntivirus and...
  • Blog Post: MSRT Tackles Fake Microsoft Security Essentials

    We've seen a few rogue security programs use elements of legitimate security software in order to try to make themselves appear more authentic. It was inevitable that Microsoft Security Essentials would be the target of this kind mimicry. While some rogues have simply copied Security Essentials' name...
  • Blog Post: FakeSysdef: We can defragment that for you wholesale! / Diary of a scamware

    Initially it was "System Defragmenter", then "Scan Disk" and now it's called "Check Disk". While the name will most certainly change again, the main goal of Trojan:Win32/FakeSysdef will surely remain the same: to trick you into buying a piece of software that does nothing...
  • Blog Post: Doctor Who calling–on Skype, with malware

    Earlier this week, I received a phone call via Skype on my laptop, the caller’s ID was “ dralerthelpzc8 ” as in Dr Alert Help ZC8 . The voice on the other end was automated, computerized and otherwise non-human, and alerted me that I had a virus that affects Windows Vista, Windows XP and Windows 7 and...
  • Blog Post: Rogue Antivirus - A Closer Look at Win32/Antivirusxp

    Fake (or rogue) security applications have been a cause of confusion and problems for users for some years. These applications generally display fake warnings and malware detections in order to entice users to buy the application and thus ‘disinfect’ their system. Over time, the mechanisms used to avoid...
  • Blog Post: Slick links linked to slinky Winwebsec

    I received a spam email from a friend lately after which I immediately notified him of a potential malware infection.  He insisted his technician had taken care of the infection once and for all.  After I returned from my vacation I received another three spam mails from him.  This time...
  • Blog Post: There’s more than one way to skin an orange…

    ​When it comes to attacking a system, and compromising its data and/or resources, there are several different methods that an attacker can choose. One of the more effective ways to make a successful compromise is to take advantage of perceived vulnerabilities in the targeted system. A vulnerability refers...
  • Blog Post: MSRT Review on Win32/FakeSecSen Rogues

    Win32/FakeSecSen was added to MSRT November release as Hamish mentioned in his MMPC blog . We’ve since observed MSRT removing FakeSecSen from 994,061 distinct machines. Breakdown of these removals by regions is shown as below. Region/Country Distinct Machines Cleaned ...
  • Blog Post: How to defang the Fake Defragmenter

    We are tracking the trails of this fake " System Defragmenter " software since its first appearance last October 2010, and have warned our customers in our earlier post about this trojan software. In this follow-up post, we give an update including a new variant worth noting for our customers...
  • Blog Post: Where is Waledac - Episode II

    The Spambot Whilst Win32/Waledac is probably best known for the ability to send spam, it can also download and execute arbitrary files. In addition to using this downloading mechanism to update itself, Waledac can also download other malware. The MMPC has observed the download of Trojan:Win32/FakeSpypro...
  • Blog Post: Yes, SIR, More Rogues!

    As Vinny mentioned in his post , the data in our recently released Microsoft Security Intelligence Report (SIR) clearly shows what we've been seeing in our day-to-day research over the last six months or so - rogue security software is getting more prevalent. As well as the raw data, the SIR includes...
  • Blog Post: How potentially unwanted software finds a way into our computers

    I was talking yesterday with a fellow researcher about the Win32/Danmec trojan and the way it uses SQL injection to extend its bot network when I just realized that I was actually looking through some of the injected webpages. I decided to find more about it so I backtracked the events to see how the...
  • Blog Post: The Newest Member of our Rogues Gallery

    The family added to the July MSRT release is Win32/FakeSpypro . As is often the case with rogues, they employ the use of multiple "names" over time. The current branding used by Win32/FakeSpypro is "Antivirus System PRO" with the previous incarnation being "Spyware Protect 2009". The " user interface...
  • Blog Post: FakeXPA... Journey of a Rogue

    Rogue security products have been around for some years, and now they seem to be everywhere. In my previous blog about Trojan:Win32/Antivirusxp I talked about the relationships between rogue products and various other threats. One common behavior of rogue products is their ever-changing domain names...