February 14 is right around the corner and that can mean only one thing- it's time for the RSA conference in San Francisco. This year, Scott Charney, Corporate Vice President of Trustworthy Computing, will present a keynote Tuesday morning at 9am on Collective Defense: Collaborating to Create a Safer Internet. Scott's talk will highlight a number of computing trends and the evolution of online threats while sharing Microsoft's vision of how we can work together to improve the safety for everyone...

Hello Internet! As you may recall, last October we updated MSRT to include the well-known malware Zbot (aka Zeus), one of the more prolific bots we see in the wild today. Today, we released a special-edition Security Intelligence Report, entitled “ Battling the Zbot Threat ,” that documents the background, functionality, prevalence, and geographical distribution of Zbot malware. The paper also shows how Microsoft has had a measurable effect on the Zbot ecosystem since broadening its...

This month we add another bot to the MSRT family list – Win32/Cycbot . Cycbot was discovered in August 2010 and has quickly become prevalent. It seems that Cycbot’s creators called it “Gbot”, as it used this name as an identifier in the reports it would send back to its controllers. Recent variants of the malware have stopped using this identifier, possibly in an attempt to make detection more difficult, but the functionality hasn’t changed much. All of Cycbot’s...

Today, the MSRC is releasing an update to address an Internet Explorer 0-day vulnerability (CVE-2010-3971), originally posted by a researcher to Full Disclosure in early Dec. Since the public disclosure took place, we, along with other MAPP partners, have been monitoring closely for malicious exploitation to keep tabs on the threat this issue posed to our customers. In late December, just before Christmas, we started seeing the first signs that attackers were actively trying to exploit this vulnerability...

As we reported in our most recent Security Intelligence Report , worms have been gaining speed in comparison to 2009. I remember a time when the world thought the day of the worm had come and gone. Although outbreaks that we saw in the Slammer and Blaster days never became an everyday occurrence, we’ve seen another trend where malware authors are upgrading their everyday static trojans to become worms and bots and oftentimes, bots that can propagate like worms. If you examine the top...

When rogue security software uses multiple different names for itself, it's not especially noteworthy. In the past we have seen rogues that changed their names almost every day , and even a single rogue executable that could use one of 33 different names for itself . After several months of calling themselves "Antivirus 8", recent variants of Rogue:Win32/FakeXPA have begun going by the name of " AVG Antivirus 2011 ." This is not to be confused with the legitimate antivirus product from AVG...

The Microsoft Malware Protection Center has been tracking a recent threat that attacks cloud-based antivirus technology provided by popular major antivirus software vendors in China. The malware is named Win32/Bohu ( TrojanDropper:Win32/Bohu.A ). The Bohu malware is native to the China region. Bohu attracts user installation by social engineering techniques, for example, using attractive file names and dropping a fake video player named “Bohu high-definition video player”. The more...

It is that time of the year again to start anew. In terms of personal computers, the act of restarting the machine is called a reboot – an action that triggers execution of code from a special part of the disk called the Master Boot Record (a.k.a. MBR). As the year 2010 ended, I looked at some of the threats targeting the MBR.   Microsoft TechNet has this to say about the MBR: “The MBR, the most important data structure on the disk, is created when the disk is partitioned. The MBR contains a...

Win32/Lethic is a trojan that communicates with a remote server to distribute spam. Variants of Lethic install executable files with varied file names such as “ shelldm.exe ” or “ xcllsx.exe ”. The malware loads as a process when Windows starts. The trojan establishes a connection to remote servers using varied TCP ports, such as 1430, 8900, 8090 and so on. It communicates with servers with names such as “ dqglobex.com ”, “ verywellhere.cn ”, “ iamnothere.cn ” among others. Once connected, the trojan...

In another instance of malware utilizing holiday-themed spam emails, our researchers had the opportunity to review in detail the threat we call Backdoor:Win32/Kelihos.A . An interesting aspect to this threat is its use of fast-flux in much the same way as the Win32/Waledac family. This similarity is not a coincidence. Analysis of Kelihos shows large portions of the code of Kelihos are shared with Waledac suggesting it is either from the same parties or that the code was obtained, updated and reused...