It’s pretty obvious that people often behave differently at home and at work. Microsoft has found that malware and potentially unwanted software are encountered differently and act differently in the two environments. The following graph shows the difference between the categories of threats encountered by Windows Live OneCare users, which is for home use, and Forefront Client Security, which is designed to be managed at work. At work, computers are more likely to encounter self-replicating threats...

Paladin describes a set of internal tools that automate the steps a researcher would take to understand how a given exploit takes advantage of a given vulnerability. As of today, these tools are not for public consumption. These tools take as input a vulnerable program and an exploit. The tools run the exploit against the vulnerable program and generate an output a file. This output file characterizes how the exploit puts the vulnerable program into a malicious state. A vulnerable program is...

The family added to the April MSRT release is Win32/Waledac . If you haven't heard of the family before, there is a chance you may have seen some of the spam generated by Win32/Waledac in your inbox. We've blogged about some of the spam campaigns in the past, such as Fake Obama or the Valentine Devkit . The most recent spam campaign uses a fake “Reuters Terror Attack” themed lure. Reuters Terror Attack: Win32/Waledac is a complex spam bot. It also has the ability to download and execute arbitrary...

Customers often look for information about malware that may affect them. For the last couple of years, we have shown that malware doesn’t spread evenly across the globe, despite the global nature of the Internet. Threats that rely on social engineering, are not equally effective in different parts of the world due to language barriers or cultural factors. Also sometimes the malware spreads using exploits in applications which also are unevenly distributed around the world. The Microsoft Security...

As Vinny mentioned in his post , the data in our recently released Microsoft Security Intelligence Report (SIR) clearly shows what we've been seeing in our day-to-day research over the last six months or so - rogue security software is getting more prevalent. As well as the raw data, the SIR includes some of our research into how rogues evolved over the second half of 2008. In addition to becoming more widespread, we saw rogues get more sophisticated and aggressive. There were two families that...

There have been new developments in the Conficker arena within the past couple of days. We would like to inform those who are concerned that the MMPC is working to make sure you have the information you need, first to be protected from any threat; and second, to provide you with a full understanding of the threat itself. There have been primarily two new binaries reported. We are pleased to inform that Microsoft products such as Windows Live OneCare, Windows Live OneCare safety scanner, and the...

Over the last couple of days we've seen some spam claiming to be from Microsoft, providing a free scan to remove Conficker . Here's an example: The link actually takes you to a typical fake online scanner page used to serve up a rogue security scanner: In this case the page tries to get you to download TrojanDownloader:Win32/Renos.HL which in turn installs the rogue Trojan:Win32/WinSpywareProtect . You can read tips on how to recognize and avoid fraudulent e-mail. --Hamish O'Dea

Here at the Microsoft Malware Protection Center (MMPC) we look for ways to share the valuable data, insights and expertise that we have with our customers on a regular basis. We just released the sixth volume of our Microsoft Security Intelligence Report (SIR). The SIR shares the conclusions drawn by our research team using data gathered from hundreds of millions of computers worldwide and some of the busiest services on the internet. A very clear trend we saw in the second half of 2008 was the...

Hide behind huge numbers, making fighting against very expensive Birthday problem or paradox is the probability that, from a given set of people, two of them will have the same birthday. It is a paradox because the result defies common sense. For a group of 23 people, the chance that two of them share the same birthday is greater than 50%, and for a group of 57 people, it is higher than 99%. The best known use of Birthday Problem paradox is probably the Cryptographic Attack known as the Birthday...

April 1st is behind us and nothing really happened with Conficker . But it is never boring in the antimalware world. We have found a new exploit of MS08-067 other than Conficker. We also discovered that we already detected and protected users against this new malware. We added information about mitigations against this malware at the end of this blog post. Neeris is a worm that has been active for a few years. Some of its variants used to exploit MS06-040 which addressed a vulnerability in the...