Microsoft Malware Protection Center

Threat Research & Response Blog

Microsoft Malware Protection Center

  • MSRT December 2014

    This month is our final release of the Malicious Software Removal Tool (MSRT) for 2014. Although we didn’t add any new malware families, we updated the tool with the latest detection and remediation capabilities for the malware families added in previous releases. Since January 2014, there have been more than seven billion successful MSRT installs via Microsoft Windows Update . This is an average of 500 million installs every month. The MSRT detected and successfully removed malware on more...
  • An interesting case of the CVE-2014-8439 exploit

    We have recently seen an exploit targeting the Adobe Flash Player vulnerability CVE-2014-8439 (we detect it as Exploit:SWF/Axpergle ). This exploit is being integrated into multiple exploit kits, including the Nuclear exploit kit ( Exploit:JS/Neclu ) and the Angler exploit kit ( Exploit:JS/Axpergle ). Adobe released a patch in November to address this exploit ( APSB14-26 ). Coincidentally, our investigation shows that Adobe released a patch to address a different exploit and that patch appears...
  • An inside look: gathering and analyzing the SIR data

    At the Microsoft Malware Protection Center, threat data is a critical source of information to help protect our customers. We use it to understand what’s going on in the overall malware ecosystem, determine the best way to protect our customers, and find the most effective way to deliver that protection. We also use the data to produce a number of reports to help our customers. This includes our bi-annual Security Intelligence Report (SIR). This blog post gives you a behind-the-scenes look...
  • Expired antimalware software is nearly as unsafe as having no protection at all

    Analyzing data to find the root cause of infections has been a long-standing focus of the MMPC. One area we've been investigating is the correlation between endpoint protection and infection rates. Back in version 14 of the Security Intelligence Report (SIRv14), we first published data on infection rates for PCs protected with fully up-to-date antimalware software in comparison to those that either had no antimalware software or software that was not on or fully current. We discovered that PCs...
  • MSRT November 2014 – Tofsee

    This month we added the Win32/Tofsee and Win32/Zoxpng malware families to the Malicious Software Removal Tool . Zoxpng is a backdoor component that can execute remote commands from a malicious hacker. It is related to Win32/Hikiti and the other threats added to the MSRT last month . Let’s take a closer look at Tofsee, the email-spamming malware family. Tofsee is a multi-component malware family made up of three components: a loader, its main spambot payload, and plugins. Its primary payload...
  • Cracking the CVE-2014-0569 nutshell

    ​The Microsoft Malware Protection Center (MMPC) has recently seen an exploit targeting the Adobe Flash Player vulnerability CVE-2014-0569 . This exploit is being integrated into the Fiesta exploit kit. The vulnerability related to this malware was addressed with a patch released by Adobe on 14 October 2014. Adobe Flash Player desktop runtime for Windows versions 15.0.0.167 and earlier are vulnerable. If you're using a vulnerable Adobe Flash Player version you should update now to help protect...
  • The dangers of opening suspicious emails: Crowti ransomware

    The Microsoft Malware Protection Center (MMPC) has seen a spike in number of detections for threats in the Win32/Crowti ransomware this month as the result of new malware campaigns. Crowti is a family of ransomware that when encountered will attempt to encrypt the files on your PC, and then ask for payment to unlock them. These threats are being distributed through spam email campaigns and exploits. Crowti impacts both enterprise and home users, however, this type of threat can be particularly...
  • Novetta leads first coordinated malware eradication campaign

    ​Earlier this month, Novetta took their initial public action in the first Coordinated Malware Eradication (CME) campaign against Win32/Hikiti and its associated threats. Today, Novetta released a comprehensive report that describes in detail the threats and threat actors, known as Axiom, targeted in this campaign. Axiom is a well-resourced, disciplined, and sophisticated threat actor that analysts believe has been conducting espionage operations online since at least 2008. Since then, Axiom...
  • Staying in control of your browser: New detection changes

    This week we made some important changes to how we detect browser modifiers and adware. These changes are designed to better protect your browsing experience. We have already blogged about the changes to the behaviors we detect as adware. I will explain the changes to our browser modifier detections below. Our objective criteria has all the details about how and why we detect unwanted software. Unacceptable behaviors There are two new browser modifier behaviors that we detect: Bypassing...
  • Close means close: New adware detection criteria

    In April we introduced the rules that software developers should follow when creating advertisements to avoid being detected by Microsoft security products as adware . These rules are designed to keep our customers in control of their Internet browsing experience. Since then, we have had great success working with some companies through our developer contact process . At the same time we have started to see other advertising programs trying to bend and even circumvent our rules. These advertisements...