Microsoft Malware Protection Center

Threat Research & Response Blog

Microsoft Malware Protection Center

  • Redirect hides browser extension

    ​While analyzing a malicious Chrome browser extension we recently came across a Virtool that tries to redirect the Chrome Extension page. We detect it as VirTool:JS/Redichrextor.A . VirTool:JS/Redichrextor.A won’t let you view, change, remove or uninstall Chrome browser extensions. It does this by stopping you from viewing the Chrome Extension page. It uses this technique so an affected user won’t be able to remove or uninstall the malicious extension without help from their...
  • Be a real security pro - Keep your private keys private

    One of the many unusual characteristics of the Stuxnet malware that was discovered in 2010 was that its files were distributed with a valid digital signature, created using authentication credentials that belonged to two unrelated legitimate software companies. Normally the signature would verify that the program was issued by the company listed in the signing certificate, and that the contents of the program had not been tampered with since it was signed. By using other companies’ authentication...
  • Tackling the Sefnit botnet Tor hazard

    Sefnit, a prevailing malware known for using infected computers for click fraud and bitcoin mining, has left millions of machines potentially vulnerable to future attacks. We recently blogged about Sefnit performing click fraud and how we added detection on the upstream Sefnit installer . In this blog we explain how the Tor client service, added by Sefnit, is posing a risk to millions of machines, and how we are working to address the problem. Win32/Sefnit made headlines last August as it took...
  • Our protection metrics – October results

    ​Last month we introduced our monthly protection metrics and talked about our September results. Today, we’d like to talk about our results from October. If you want a refresh on the definition of the metrics we use in our monthly results, see our prior post: Our protection metrics – September results. During October 2013, while our rate of incorrect detections remained low, and our performance metrics stayed fairly consistent, the infection rate of 0.18 percent was higher in comparison...
  • Rotbrow: the Sefnit distributor

    This month's addition to the Microsoft Malicious Software Removal Tool is a family that is both old and new. Win32/Rotbrow existed as far back as 2011, but the first time we saw it used for malicious purposes was only in the past few months. In September, Geoff blogged about the dramatic resurgence of Win32/Sefnit (aka Mevade). At the time, we knew of several ways in which Sefnit was distributed, but we continued investigating how it was able to get on so many machines. When we concentrated on...
  • Our protection metrics - September results

    Earlier this year, we started publishing a new set of metrics on our portal – An evaluation of our protection performance and capabilities . These metrics show month over month how we do in three areas: coverage, quality, and customer experience in protecting our customers. And, since we started to publish the results on this page , I've had many great conversations with customers and partners alike, discussing what the results mean for their organization and their protections. In this post...
  • MSRT November 2013 - Napolar

    ​We first noticed the new family we named Win32/Napolar being distributed in the wild in early August this year. It quickly became a big problem on our customers’ machines. Napolar is one of two families targeted by the Malicious Software Removal Tool (MSRT) this month. The other is the bitcoin mining family Win32/Deminnix . As shown in the chart below, Napolar was hitting ~220K unique machines during the week of August 23rd. Napolar is a trojan that can download and run files, utilize...
  • Viewing Vobfus infections from above

    Win32/Vobfus is a family of worms that spreads via removable drives and downloads other malware, and a family that is causing people a lot of pain lately. Vobfus was initially discovered in September 2009 and became prevalent with its use of the MS10-046 .LNK vulnerability . The .LNK vulnerability has also been used by Chymine , Sality , and Zbot , though it is no longer used by Vobfus. The name Vobfus comes from the characteristics that these worms are V isual Basic and obfus cated. Vobfus is...
  • Another year, another rogue. Not what the doctor ordered

    Another new year is almost upon us. Or at least that's what the distributors of Rogue:Win32/Winwebsec would have us believe - releasing a new branding System Doctor 2014 just prior to the middle of 2013. Figure 1: System Doctor 2014 user interface For some time, Winwebsec has had only one branding active at a time. While there have been a number of name changes, the interface and behavior have otherwise remained mostly unchanged. System Doctor 2014 represents a departure from this, with...
  • End of support for Java SE 6

    ​If you’re running Java SE 6, we have some news for you: Oracle stopped providing public updates to it after February 2013. Enterprise customers will still have access to long term help through their support channels. For everyone else, you should upgrade to Java SE 7 and remove Java SE 6 - remember Java doesn’t remove older versions by default. Malware exploiting vulnerabilities in Java isn’t new. We’ve written about Java vulnerabilities on this blog before. In fact...