Microsoft Malware Protection Center

Threat Research & Response Blog

Browse by Tags

  • Blog Post: What's Another 32-bits to Malware?

    The migration of PC computing from 32-bit to 64-bit is in full swing at last, and if you’ve been confused as to what it all means, you’re not alone. PCs built for years now have been capable of running both 32-bit and 64-bit operating systems, but for that you need 64-bit version of Windows (and corresponding...
  • Blog Post: Online Game Password Stealers Riding with 0-day DirectShow Exploits

    On May 28, our colleagues at The Microsoft Security Response Center released advisory 971778 which elaborated on a new vulnerability in Microsoft DirectShow effecting Windows 2000, Windows XP and Windows Server 2003. You can obtain more details on how to protect your environment from this vulnerability...
  • Blog Post: MSRT and an Update of Worms in the Wild

    On April 14th, Microsoft released the latest update to the Microsoft Malicious Software Removal Tool . This month as you know from Scott Molenkamp’s blog post , we added Win32/Waledac . In fact, of the top 5 families, worms make up 3 of the slots: Win32/Taterf , Win32/Frethog , and Win32/Koobface . ...
  • Blog Post: A Technical Analysis on the Exploit for CVE-2011-2110 Adobe Flash Player Vulnerability

    On June 14, Adobe released updates and a security bulletin (APSB11-18) referencing attacks affecting Adobe Flash Player (versions 10.3.181.23 and earlier). These attacks have been observed as hosted on webpages containing malformed SWF files. We spent some time analyzing this Flash Player vulnerability...
  • Blog Post: Little Red Riding Hood or Big Bad Wolf? Your Sweetheart or Waledac?

    Valentine's Day is almost here. While your friends and loved ones are crafting their e-cards, malware authors are also releasing their annual love letters into the mix. Win32/Waledac started a bit early, we noticed it’s Valentine theme spam mails as early as January 26th. However, as Valentine's Day...
  • Blog Post: Win32/Koobface, MSRT and Industry Cooperation

    On March 10 we released an update to the Malicious Software Removal Tool to add targeting of the Win32/Koobface family. The addition of this threat came out of discussions with the security team at Facebook but this is not the first time we have added a family of malicious software to MSRT on request...
  • Blog Post: Our commitment to Microsoft antimalware

    We are fully committed to protecting our consumer and business customers from malware. Our strong solutions provide the comprehensive defense needed against malicious code and attacks. Our support of antimalware partners helps in building a strong and diverse ecosystem to fight malware. Over the past...
  • Blog Post: Malware and Signed Code

    Microsoft Authenticode® is a technology that can help ensure the source of code. It does not ensure that code is safe to run, but it can ensure that the code is associated with an entity in a trust chain. Since you should base your trust decision about code on whether you trust the source or not, Authenticode...
  • Blog Post: What’s Travelling on the Wire (part 2)

    Quite a while has passed since we started logging data about incoming attacks on an Internet-connected system and now we have gathered enough information to show the risks of exposing an unsecured computer on the Web. Let’s start with some data about the attacks, first where they originate from and...
  • Blog Post: Gamburl Gone Wild

    We’re seeing plenty of reports for a JavaScript redirector malware family that we call Gamburl; previous reports have called it Gumblar or Redir. These attacks seem to be coming from legitimate Web sites with pages that have been modified to contain this malicious script. So even if you’re visiting...
  • Blog Post: A Quick Update About MS08-067 Exploits

    A few weeks ago, Microsoft released an update for a vulnerability in Windows that was considered “wormable” in certain scenarios. Bulletin MS08-067 includes more information. There were limited attacks in the wild at the time of the release and we blogged about it here. We would like to give you a quick...
  • Blog Post: MSRT Observations – Online Game Password Stealers

    The February release of MSRT added a new threat family, Win32/Srizbi , as Vince discussed last week. As of February 16, MSRT has cleaned 38,697 machines from Srizbi infections, which is 14.1% of the total September 2007 removals of Win32/Nuwar or the “Storm” worm during the same timeframe. So what...
  • Blog Post: A Peek at MSRT November Threat Reports

    By continuing to include new variants of the existing threat families, the MSRT has removed malware from more than 1.5 million machines three days after its release on 10 November. This month we’ve also added Win32/FakeVimes and Win32/PrivacyCenter to the MSRT detection and have removed these new rogues...
  • Blog Post: Password Stealers are Top Threats in China and Brazil

    On July 14, the MMPC added another fake security software program (rogue), Win32/FakeSpyPro, to the MSRT release. As of July 29, MSRT removal of FakeSpyPro had been reported from 187,258 machines worldwide. Rogues continue to be disruptive worldwide. Three families (FakeSpyPro, InternetAntivirus and...
  • Blog Post: MMPC @ Gamefest 2008

    I had the privilege of presenting a couple of weeks ago at Gamefest 2008 —a Microsoft sponsored technical conference targeted at the games industry. I spoke about game password stealers- what they do, which games are targeted by which families and the behaviors of those families, prevalence, number of...
  • Blog Post: Let telemetry be your guide, a proposal for security tests…

    Users today are offered choices among many security products, any number of which are sufficient, and none perfect. Along with these products are myriads of product test results and certifications, all there to help you make a better, more informed decision on which product to use. And as product developers...
  • Blog Post: What’s travelling on the wire

    Just a few days ago we installed a new network protocol analyzer in our lab here in Dublin. It was late when the configuration was done so we just fired it up and let it run until the next day. After all we didn't expect to get much attention in the beginning. In a couple of hours, the first signs...
  • Blog Post: MSRT October Release – Case Study

    As of October 21st, the MSRT has removed the newly added threat, Win32/FakeScanti from 56,700 infected machines. For this month, it was the 12th most prevalent threat family worldwide and 7th in the US. Overall the MSRT has cleaned 2,516,235 machines this month from all kinds of malware infections. ...
  • Blog Post: Cleaning Over 10 Million IRC Bots

    No one could have anticipated all the ways that Internet Relay Chat (IRC) would eventually be used when it was 'created' in Finland during the late 1980s. People really started picking up on IRC in the early 1990s, and as with virtually all popular technologies, it started to get abused. IRC enables...
  • Blog Post: MSRT on CAPTCHA breaking malware

    A CAPTCHA (IPA: /ˈkæptʃə/) is a type of challenge-response test used in computing to ensure that the response is not generated by a computer. The process involves one computer (a server) asking a user to complete a simple test which the computer is able to generate and grade. Because other computers...
  • Blog Post: Banload – The Other January Addition to MSRT

    This month’s MSRT release includes signatures for Win32/Banload . This family of malware is known to download and execute variants of both Win32/Bancos and Win32/Banker – which are both malware families of password stealing trojans. Typically, they attempt to capture online banking credentials and other...
  • Blog Post: Microsoft Security Intelligence Report Volume 5 is Now Available

    One of our goals here at the Microsoft Malware Protection Center (MMPC) is to share the valuable data, insights and expertise we have with customers on a regular basis in an effort to help customers better understand the changes occurring in the threat landscape and improve their defenses accordingly...
  • Blog Post: MSRT January ‘11: Win32/Lethic

    Win32/Lethic is a trojan that communicates with a remote server to distribute spam. Variants of Lethic install executable files with varied file names such as “ shelldm.exe ” or “ xcllsx.exe ”. The malware loads as a process when Windows starts. The trojan establishes a connection to remote servers using...
  • Blog Post: Recession, Music, and Wimad

    Nowadays almost everyone is affected by the recession in one way or another. More and more people try to save money. Instead of buying licensed songs in CD form or from reputable online services, some people prefer to download songs via P2P or do a direct download from untrusted sites. This is a popular...
  • Blog Post: MSRT Review on Win32/FakeSecSen Rogues

    Win32/FakeSecSen was added to MSRT November release as Hamish mentioned in his MMPC blog . We’ve since observed MSRT removing FakeSecSen from 994,061 distinct machines. Breakdown of these removals by regions is shown as below. Region/Country Distinct Machines Cleaned ...