Microsoft Malware Protection Center

Threat Research & Response Blog

Browse by Tags

  • Blog Post: Microsoft partners with Interpol, industry to disrupt global malware attack affecting more than 770,000 PCs in past six months

    'Simda.AT' designed to divert Internet traffic to disseminate other types of malware. Today Interpol and the Dutch National High Tech Crime Unit (DNHTCU) announced the disruption of Simda.AT , a significant malware threat affecting more than 770,000 computers in over 190 countries. The Simda...
  • Blog Post: MSRT October Release – Case Study

    As of October 21st, the MSRT has removed the newly added threat, Win32/FakeScanti from 56,700 infected machines. For this month, it was the 12th most prevalent threat family worldwide and 7th in the US. Overall the MSRT has cleaned 2,516,235 machines this month from all kinds of malware infections. ...
  • Blog Post: Cleaning Over 10 Million IRC Bots

    No one could have anticipated all the ways that Internet Relay Chat (IRC) would eventually be used when it was 'created' in Finland during the late 1980s. People really started picking up on IRC in the early 1990s, and as with virtually all popular technologies, it started to get abused. IRC enables...
  • Blog Post: MSRT on CAPTCHA breaking malware

    A CAPTCHA (IPA: /ˈkæptʃə/) is a type of challenge-response test used in computing to ensure that the response is not generated by a computer. The process involves one computer (a server) asking a user to complete a simple test which the computer is able to generate and grade. Because other computers...
  • Blog Post: Banload – The Other January Addition to MSRT

    This month’s MSRT release includes signatures for Win32/Banload . This family of malware is known to download and execute variants of both Win32/Bancos and Win32/Banker – which are both malware families of password stealing trojans. Typically, they attempt to capture online banking credentials and other...
  • Blog Post: Microsoft Security Intelligence Report Volume 5 is Now Available

    One of our goals here at the Microsoft Malware Protection Center (MMPC) is to share the valuable data, insights and expertise we have with customers on a regular basis in an effort to help customers better understand the changes occurring in the threat landscape and improve their defenses accordingly...
  • Blog Post: MSRT January ‘11: Win32/Lethic

    Win32/Lethic is a trojan that communicates with a remote server to distribute spam. Variants of Lethic install executable files with varied file names such as “ shelldm.exe ” or “ xcllsx.exe ”. The malware loads as a process when Windows starts. The trojan establishes a connection to remote servers using...
  • Blog Post: Recession, Music, and Wimad

    Nowadays almost everyone is affected by the recession in one way or another. More and more people try to save money. Instead of buying licensed songs in CD form or from reputable online services, some people prefer to download songs via P2P or do a direct download from untrusted sites. This is a popular...
  • Blog Post: MSRT Review on Win32/FakeSecSen Rogues

    Win32/FakeSecSen was added to MSRT November release as Hamish mentioned in his MMPC blog . We’ve since observed MSRT removing FakeSecSen from 994,061 distinct machines. Breakdown of these removals by regions is shown as below. Region/Country Distinct Machines Cleaned ...
  • Blog Post: MSRT and MMPC in 2H08 – Microsoft Security Intelligence Report

    The MSRT added the following threat families in 2H08. Rogues and botnet malware were the focus during the six months. New Family Note Added in Computers Cleaned by the MSRT in 2H08 Win32/Horst CAPTCHA breaking threat July 235,318 ...
  • Blog Post: Where is Waledac - Episode II

    The Spambot Whilst Win32/Waledac is probably best known for the ability to send spam, it can also download and execute arbitrary files. In addition to using this downloading mechanism to update itself, Waledac can also download other malware. The MMPC has observed the download of Trojan:Win32/FakeSpypro...
  • Blog Post: MSRT August Top Detection Reports

    This month the MMPC added a new threat family, Win32/FakeRean , to the MSRT. You can refer to Hamish’s blog post, “ Win32/FakeRean and MSRT ” for more details on this fake, or rogue, security software. As of August 24, the MSRT had cleaned FakeRean from 162,328 infected machines. The following table...
  • Blog Post: Malware Distribution Across Operating Systems

    Depending on your background, you may find different sections of the newly published Microsoft Security Intelligence Report (SIR) to be of more interest. In today’s post, we would like to highlight the section on infection rates based on the operating system (OS) version and the service pack level. Microsoft...
  • Blog Post: Did You Say Malware? Where?

    Customers often look for information about malware that may affect them. For the last couple of years, we have shown that malware doesn’t spread evenly across the globe, despite the global nature of the Internet. Threats that rely on social engineering, are not equally effective in different parts of...
  • Blog Post: Taterf – all your drives are belong to me!!!1!one!

    Greet1ngs, As you all probably know by now, this month in MSRT was a very significant release for Gamers everywhere with the addition of a variety of password stealers directly targeting Online games. The main targets are mostly based in Eastern Asia (Lineage Online, Legend Of Mir, ZT Online just...
  • Blog Post: Who's at Risk on the Internet Today? We All Are. Act Accordingly…

    Here at the Microsoft Malware Protection Center (MMPC) we look for ways to share the valuable data, insights and expertise that we have with our customers on a regular basis. We just released the sixth volume of our Microsoft Security Intelligence Report (SIR). The SIR shares the conclusions drawn by...
  • Blog Post: Malware Writer Wants an Eye-to-Eye With Us

    Zlob has been around for quite some time now and it is still evolving rapidly. If we thought of Zlob as a car, it has gone through the equivalent of several overhaulings... Zlob constantly changes its decryption, obfuscation, and structure. As is our everyday routine, we were looking at several new variants...
  • Blog Post: Threats at Home and at Work

    It’s pretty obvious that people often behave differently at home and at work. Microsoft has found that malware and potentially unwanted software are encountered differently and act differently in the two environments. The following graph shows the difference between the categories of threats encountered...
  • Blog Post: Microsoft Security Essentials – Week One

    Now that Microsoft Security Essentials is generally available to consumers in 19 countries, we've had a chance to go over the data, and there are some very interesting results. Just in the first week we saw well over 1.5 million downloads of Microsoft Security Essentials, but the price (free to Windows...
  • Blog Post: MSRT Review - Win32/FakeXPA and Win32/Yektel Rogues

    As mentioned previously on this blog, we added two “rogue” families to MSRT this month: Win32/FakeXPA and Win32/Yektel . We’ve known that rogues in general have been growing in prevalence for some time and with two months of MSRT data (last month we added a family of rogues called Win32/FakeSecSen )...
  • Blog Post: 860,000 Computers Cleaned from Password Stealer Infections in One Week

    This month’s MSRT shows the following top ten most prevalent threat families as of May 19. The newly added and blogged rogue family, Win32/Winwebsec , is ranked at #17 with 34,792 infected machines. Family Most Significant Category Detections Infected Machines ...
  • Blog Post: Horst: (Something Old, Something New)

    The latest version of the MSRT was released on the 8th of July. The newest family selected for inclusion was " Horst ". The Horst family is made up of a number of different components. Each of which, can perform different tasks. Tasks include downloading, malware distribution and email account registration...
  • Blog Post: re-BOOT This Year Clean

    It is that time of the year again to start anew. In terms of personal computers, the act of restarting the machine is called a reboot – an action that triggers execution of code from a special part of the disk called the Master Boot Record (a.k.a. MBR). As the year 2010 ended, I looked at some of the...
  • Blog Post: Win32/Rustock Hide and Seek – MSRT Telemetry

    In his 10/18 blog post , Oleg provided great insights about the distribution, installation and payload of Win32/Rustock which was added to MSRT 10/14 release. As of 10/29 MSRT has removed this rootkit from 99,418 distinct machines. Breakdown of these removals by regions is shown as below. ...
  • Blog Post: PDF E-ducation

    Recently, Marian and Andrei presented a paper at the CARO Workshop about PDF vulnerabilities and exploits related to them. As we presented in our latest Security Intelligence Report , there was an increase in the use of these exploits, and the trend keeps going on. Since the beginning of the year...