Microsoft Malware Protection Center

Threat Research & Response Blog

Microsoft Malware Protection Center

  • Upatre update: infection chain and affected countries

    Upatre is a type of malware that is typically installed on a machine after a person is tricked into clicking on a link or opens an attachment contained in a spam email. Since January 2015, we have seen spam emails commonly distributed by variants of the Hedsen and Cutwail malware families. Upatre 's malicious actions vary, but it commonly acts as a central distribution platform for a number of other threat families. For example: The malware reaches out to a command-and-control...
  • MSRT March: Superfish cleanup

    ​This month we added two new families to the Microsoft Malicious Software Removal Tool : Win32/CompromisedCert and Win32/Alinaos . The Alinaos trojan family targets point-of-sale terminals to steal credit card information. This blog will discuss the security risk presented by Superfish, an ad-injecting application that we detect as CompromisedCert. Some new Lenovo consumer notebooks sold between September 2014 and February 2015 had Superfish pre-installed. In February, it was discovered that...
  • Monitoring tools: user notification required

    The Microsoft Malware Protection Center (MMPC) helps to keep Windows customers in control of their computing experience, information, and privacy. We use objective criteria to help protect customers against malware and unwanted software. This means helping to protect you against monitoring software that maliciously collects and provides unauthorized access to your private data. We are aware of social engineering campaigns that target users in Eastern Europe and Brazil using monitoring software...
  • Microsoft Malware Protection Center assists in disrupting Ramnit

    Recent disruption of the Ramnit malware family was successful due to a multinational collaboration, led by Europol’s European Cybercrime Center (EC3), in partnership with Financial Services and Information Sharing & Analysis Center (FS-ISAC), Symantec, AnubisNetworks, Microsoft’s Digital Crimes Unit (DCU), and the Microsoft Malware Protection Center (MMPC). The MMPC has been closely monitoring Ramnit since its discovery in April 2010, as you can see by reading: Ramnit - The renewed...
  • Microsoft steps up in industry efforts on mitigating false positives

    Antimalware vendors write signatures so that their corresponding products can detect and take action on malicious files. Every once in a while, a signature also detects a clean file – a file that doesn’t do anything malicious at all. The antimalware industry calls this a “false positive”, also referred to as an “incorrect detection”. It’s not pretty when an application or program is flagged as a false positive – users can’t run the program, customer...
  • MSRT February: Escad and NukeSped

    This month we added three new families to the Microsoft Malicious Software Removal Tool (MSRT) to help protect our customers: Win32/Escad , Win32/Jinupd and Win32/NukeSped . While this blog focuses on Escad and NukeSped, we want to note that Jinupd is point-of-sale malware that steals sensitive data, such as credit card information and sends it to a malicious hacker. The Escad and NukeSped malware families have backdoor capabilities that have been used as part of targeted attacks. It is...
  • System Center Endpoint Protection support for Windows Server 2003

    From July 14, 2015, Windows Server 2003 will cease to be a supported operating system . From this date Windows Server 2003 customers will no longer receive: Definition updates for System Center Endpoint Protection and Forefront Endpoint Protection Free or paid assisted support options Online technical content updates Security updates We recommend finalizing your Windows Server migration plans today. Our research in the Security Intelligence Report Volume 17 has shown some of...
  • MAPS in the cloud: How can it help your enterprise?

    Malware can easily send a huge enterprise infrastructure into a tailspin. However, you can get greater protection from malware by using services in the cloud. Yes, there’s an opportunity to get real-time results from suspicious malware triggers where your system can: Consult the cloud upon detecting suspicious malware behaviors. Respond by blocking malware based on derived logic from the account ecosystem data, and local signals from the client. How? Through the Microsoft...
  • Crowti update - CryptoWall 3.0

    After almost two months of hiatus over the holidays, a new campaign of Crowti tagged as 'CryptoWall 3.0' has been observed. It uses a similar distribution channel as before, having been downloaded by other malware and serving as a payload through exploits. The graph below shows the spike after two days of no activity from 288 unique machines affected by this malware: Figure 1. Sudden spike from CryptoWall 3.0 activity this month . It still follows the same behavior as previous...
  • MSRT January 2015 – Dyzap

    ​This month we added the Win32/Emotet and Win32/Dyzap malware families to the Malicious Software Removal Tool . Both Emotet and Dyzap are trojans that steal personal information, including banking credentials. In a previous blog we detailed how Emotet targets German-language banking websites . In this blog, we will focus on Dyzap – another prevalent banking trojan that predominantly targets English-speaking countries. Dyzap variants target credentials for online banking, crypto currency...