Microsoft Malware Protection Center

Threat Research & Response Blog

Microsoft Malware Protection Center

  • Download at your own risk: Bitcoin miners bundled with game repacks

    Recently we have seen an emerging trend among malware distributors - Bitcoin miners being integrated into installers of game repacks. This type of system hijacking is just one of the many ways to exploit a user by utilizing their system's computing resources to earn more cash. Malware is easily bundled with game installers that are then uploaded and shared with unsuspecting users using torrent download sites. Once a machine is infected, a downloaded Bitcoin miner silently carries out mining...
  • MSRT September 2014 - Zemot

    ​This month we added the Win32/Zemot family to the Malicious Software Removal Tool . The Zemot family of trojan downloaders are frequently used by malware with a number of different payloads. We started seeing activity from TrojanDownloader:Win32/Upatre.B in late 2013 and identified this threat as the main distributor of the click fraud malware PWS:Win32/Zbot.gen!AP and PWS:Win32/Zbot.CF . We renamed the downloader to Zemot in May 2014. Recently, other malware such as Win32/Rovnix , Win32/Viknok...
  • USB firmware: An upcoming threat for home and enterprise users

    Every year, thousands of hackers and security researchers from around the world descend on Las Vegas to attend the annual Black Hat security conference. The conference boasts top notch security presentations from industry leaders – often centered on breaking computer security. Although many of the presentations are on breaking things, most of the attendees and presenters are in fact using the knowledge for good – to design more secure software, better secure their organization, or fix...
  • The fall of rogue antivirus software brings new methods to light

    Rogue antivirus software has been a part of the malware ecosystem for many years now – Win32/SpySheriff and Win32/FakeRean date all the way back to 2007. These rogues, and the many that have followed them throughout the years, generally mislead and scare users into paying a fee for "cleaning" false detections that the software claims to have found on the machine. They often use dozens of different brandings and name combinations in an attempt to hide, cover their tracks, and avoid...
  • FireEye and Fox-IT tool can help recover Crilock-encrypted files

    Since file-encryption ransomware Crilock (also called CryptoLocker) has reared its head, the security industry has been hard at work finding ways to mitigate and neutralize these threats. We've also been hard at work finding ways to recover from the encryption and restore affected files - such as our recommendations on using version control and recovery options in SkyDrive and Windows . This week, researchers from FireEye and Fox-IT have released a tool that may be able to recover files encrypted...
  • MSRT August - Lecpetex

    ​This month we added Win32/Lecpetex to the Microsoft Malicious Software Removal Tool (MSRT). The addition will assist with the detection and clean-up of this family following the recent Facebook take-down of the Lecpetex botnet . The graph below shows the number of unique machine encounters we have seen since February this year. The primary Lecpetex payload is a Litecoin miner that is installed to the infected system. A malicious hacker can then use the compromised PC to generate Litecoins...
  • The future of independent antimalware tests

    Our guiding vision at the Microsoft Malware Protection Center (MMPC) is to keep every customer safe from malware. Our research team and machine learning systems, as well as industry engagement teams, function around the clock in an effort to achieve this vision. As part of these efforts, we are also working with independent antimalware testing organizations towards advancing the relevance of independent testing and reporting. Our goal is to help enable independent antimalware testing organizations...
  • A particularly convincing nefarious ad

    ​As a researcher with the Microsoft Malware Protection Center (MMPC), I see a lot of digital advertising. Recently I came across a nefarious ad that is so convincing I need to warn you about it. Below is a mock-up of the ad I saw. I’ve changed the name of the company to Contoso, which is a fictitious company used by Microsoft in examples and documentation: Figure 1: The nefarious ad At first glance, the ad seems to follow all of the criteria Microsoft has for clean advertising as...
  • MSRT July 2014 - Caphaw

    This month we added Win32/Caphaw and Win32/Bepush to the Malicious Software Removal Tool (MSRT). Caphaw is a malware family that can be used by criminals to gain access to your PC - the ultimate goal is to steal your financial or banking-related information. The graph below shows the number of machine encounters we have seen since September 2013. Figure 1: Caphaw encounters Caphaw can be installed on a PC via malicious links posted on Facebook, YouTube, and Skype. It can also spread through...
  • Microsoft Digital Crimes Unit disrupts Jenxcus and Bladabindi malware families

    ​Today, following an investigation to which the Microsoft Malware Protection Center (MMPC) contributed, the Microsoft Digital Crimes Unit initiated a disruption of the Jenxcus and Bladabindi malware families. These families are believed to have been created by individuals Naser Al Mutairi, aka njQ8, and Mohamed Benabdellah, aka Houdini. These actions are the first steps to stop the people that created, distributed, and assisted the propagation of these malware families. There are more details...