Microsoft Malware Protection Center

Threat Research & Response Blog

Microsoft Malware Protection Center

  • MSRT July 2014 - Caphaw

    This month we added Win32/Caphaw and Win32/Bepush to the Malicious Software Removal Tool (MSRT). Caphaw is a malware family that can be used by criminals to gain access to your PC - the ultimate goal is to steal your financial or banking-related information. The graph below shows the number of machine encounters we have seen since September 2013. Figure 1: Caphaw encounters Caphaw can be installed on a PC via malicious links posted on Facebook, YouTube, and Skype. It can also spread through...
  • Microsoft Digital Crimes Unit disrupts Jenxcus and Bladabindi malware families

    ​Today, following an investigation to which the Microsoft Malware Protection Center (MMPC) contributed, the Microsoft Digital Crimes Unit initiated a disruption of the Jenxcus and Bladabindi malware families. These families are believed to have been created by individuals Naser Al Mutairi, aka njQ8, and Mohamed Benabdellah, aka Houdini. These actions are the first steps to stop the people that created, distributed, and assisted the propagation of these malware families. There are more details...
  • Adware changes – One week to go

    ​A quick note to all of developers out there. You have until 1 July to let us know if you think your software shouldn’t be detected under our new adware criteria. A few months ago I announced some major changes to how we at the Microsoft Malware Protection Center assess adware in my blog Adware: A new approach . As a reminder, the updated criteria defines adware as: Programs that promote a product or service outside of their own program can interfere with your computing experience...
  • “Your fault - core dumped”- Diving into the BSOD caused by Rovnix

    Recently we have noticed some Win32/Rovnix samples (detected as TrojanDropper:Win32/Rovnix.K ) causing the BSOD on Windows 7 machines. We spent some time investigating this situation and discovered an interesting story behind the BSOD. Analyzing the crash dump We first saw TrojanDropper:Win32/Rovnix.K in October 2013. During a normal Windows Boot the malware will cause the BSOD. Figure 1: Rovix BSOD screenshot To start, let’s analyze the crash dump using windbg: kd>...
  • MSRT June 2014 – Necurs

    This month we added Win32/Necurs to the Microsoft Malicious Software Removal Tool (MSRT). In a previous blog about Necurs I outlined the family's prevalence and the techniques it uses to execute its payload. In this blog, I will discuss the Necurs rootkit components Trojan:WinNT/Necurs.A and Trojan:Win64/Necurs.A in greater depth. These Necurs rootkit components are sophisticated drivers that try to block security products during every stage of Windows startup. It’s important to note...
  • Coordinated malware eradication nears launch

    ​Good news: the coordinated malware eradication preparations are almost done. We have held several roundtable meetings at industry events around the world, and the last two are scheduled for June and July. We had insightful conversations with a diverse group of experts from across the antimalware industry. The ideas have converged into a shared vision of how we’ll work together to put pressure on the malware ecosystem. I am excited for the first coordinated eradication campaigns to launch!...
  • MSRT May 2014 - Miuref

    ​Two new families were added to the Microsoft Malicious Software Removal Tool (MSRT) this month: Win32/Filcout and Win32/Miuref . We first detected Filcout in April 2014 after we observed it installing variants of Win32/Sefnit . We first detected Miuref in December 2013. This blog will discuss Miuref, a browser hijacker that can perform click fraud and hijack search results. The family has a number of means of getting itself onto a user’s computer. It can be installed via an exploit such...
  • SIRv16: Cybercriminal tactics trend toward deceptive measures

    Microsoft’s Security Intelligence Report volume 16 (SIRv16) was released today, providing threat trends on malware encounter rates, infection rates, vulnerabilities, exploits, and more for 110 countries/regions worldwide. The report is designed to help IT and security professionals better protect themselves and their organizations from cyberattacks. Malware data is gathered from the Malicious Software Removal Tool (MSRT), which is used to calculate the infection rate ( Computers Cleaned...
  • The evolution of Rovnix: new Virtual File System (VFS)

    Last July, we published a blog about Rovnix’s private TCP/IP stack . We recently discovered another evolution in Rovnix – a variant that introduces a new Virtual File System (VFS). With our latest signature update we detect this Rovnix dropper as TrojanDropper:Win32/Rovnix.L and the infected VBR (Volume Boot Record) as Virus:DOS/Rovnix.gen!A . Unlike older Rovnix variants that store their components as raw disk sectors at the end of the disk, TrojanDropper:Win32/Rovnix.L stores...
  • Protection metrics trends – First quarter 2014 results

    ​It's been a few months since our last post on our metrics. I wanted to give you an update on families that are declining, new ones that are moving in, and on the way we're calculating our protection metrics to make them more accurate. Overall, our infection impact (0.29% for January to March) has remained consistently low since December. A few families have declined, but others have moved into their place. Our incorrect detections have stayed under 0.001% and our performance metrics remain...