This month, the Malicious Software Removal Tool (MSRT) targets two families: Win32/EyeStye and Win32/Poison . EyeStye (aka 'SpyEye') is a family of trojans that steals information, targeting authentication data used for online banking such as passwords and digital certificates. The method it employs is called " form grabbing " which involves the interception of webform data submitted to the host through the client's browser. By intercepting this data, authentication information can be stolen...

Hi, again everyone! Today we released the 11th volume of the Microsoft Security Intelligence Report , also known as SIRv11.   I have to say once again we’ve outdone ourselves and launched the largest and most comprehensive version of this report to date. This time it’s over 800 pages of threat intelligence spanning 100+ countries and regions around the world.  The report provides threat trends and data analysis on topics like software vulnerabilities, exploits, malicious code and potentially...

Some online games offer features for the game players to sell their game items online. In such situations, it is highly likely some sellers may send the potential buyers a screenshot of their items for sale, for example, via Instant Messaging programs. Recently, malware distributors have started taking advantage of this. They pretend to be selling items and send a "screenshot" of their items for sale, when in fact, the "screenshot" file sent is a malicious executable file disguised as an image...

For the month of September, Microsoft is adding the Win32/Kelihos family to a second release of the Malicious Software Removal Tool . This additional release is to support the most recent action in Project MARS- Operation b79 which targets the Kelihos botnet. Operation b79 builds on the successes of the Rustock and Waledac takedowns. This operation extends previous legal tactics in addition to our various technical measures in that we are, for the first time, naming a defendant in a civil case involving...

I've been monitoring the development of a particular strain of Alureon since the start of August this year. The installer (detected as Trojan:Win32/Alureon.FE - cc9a8000f80b6aecee30375e3277292a725acbfb) is easily distinguishable from more prevalent strains such as Trojan:Win32/Alureon.DX by the use of PE resources to store each component. This particular installer is often downloaded by variants of Trojan:Win32/Fakesysdef using remote file names such as '531-direct'. Whilst investigating one...

Today, Microsoft's Digital Crimes Unit announced that we have concluded our civil case against the Rustock botnet operators and turned evidence found during that investigation over to the FBI as a criminal referral. While the FBI will be driving that investigation, we will continue to offer the $250,000 reward for information which leads to the arrest and conviction of Rustock's operators. Any leads can be sent to ms_referrals@ic.fbi.gov. We will continue to work with ISPs and CERTs to clean infected...

There are many techniques used by malware in the banker family to steal user’s authentication credentials for online banking sites. We came across an interesting sample recently, detected as Trojan:Win32/Banload.A , which uses a remote proxy script in order to target online banking sites and facilitate data theft. When Trojan:Win32/Banload.A is executed, it opens an Internet browser to a certain animation site to trick the user into thinking that it’s nothing but an animation file...

Greetings Internet! This month (carefully hidden under the Win32/Bamital blanket), employing the old adage 'fight fire with fire', we decided to fight sneakiness with sneakiness and quietly slipped a fairly major Win32/Zbot update into MSRT . "Zbot" I hear you say? Yes, it's still around and kicking. Despite Win32/Zbot (officially self-titled with the oh-so-ego-inflating 'Zeus' moniker, despite never fathering Hercules bot, nor employing lightning in any way during infection) being rumoured to...

The family selected for addition to MSRT this month is Win32/Bamital . Win32/Bamital was first discovered in September 2009 and was able to intercept and modify queries performed by search engines such as AltaVista, Bing, Google and Yahoo. Win32/Bamital has evolved over a number of generations, employing a varying range of system modifications to ensure that the malicious code is executed. Whilst the complexity of Win32/Bamital has increased over time, the core functionality of search hijacking has...

It is clear that breaking search engine rules and exploiting functionality to drive traffic and monetize content is a lucrative and extremely viable business for unethical or so called "blackhat" search engine optimization (SEO). We have recently seen another method of driving traffic and monetizing content that doesn't involve directly serving malicious content via search engine results, but rather uses a modified version of an Internet advertising technique known as content locking. According...